feat: Improve conversion of SARIF tags to OWASP secondary identifiers
What does this MR do?
Previously the secondary identifiers derived from SARIF tags were generic by splitting their Type from Value, but OWASP identifiers may use a year-designation as well. To better support two separate OWASP categories we should introduce some be dedicated handling for generating these identifiers.
Why is this needed?
The goal, as outlined in semgrep!196 (closed) is to update our OWASP secondary identifiers to better reflect the specificity of Top10 categories, which are scoped to the issuing year. The basic format is A{number}:{year} - {Title}.
As described in this comment,
we currently split the SARIF Tags on colons to generate the identifier Type and Value.
Instead we can use a standard format with minimal manipulation and be backwards compatible with the existing regex.
Additionally, this MR includes a change to the Name to include both the ID and description since the description is often not enough in isolation to be helpful. For example, in the UI it currently looks like this:
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Ensure the report version matches the equivalent schema version -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer