fix: Suppress highFP rules by default
What does this MR do?
Fixes 2 recent regressions that re-enabled eslint.detect-object-injection
:
- When we bumped the semgrep MAJOR version we incorrectly cleaned up the conditional that caused
eslint.detect-object-injection
to be re-included by default. The conditional should have defaulted totrue
instead of being removed - With the merge of pulling in eslint
sast-rules
the removal logic broke since we deserialize from the raw semgrep rules. Previously this wasdetect-object-injection
but now includes a trailing-1
.
Simplest fix would be updating the mapping to include -1
, however we should remove the rule entirely given the serialization can be messy and mutate the results, see !266 (comment 1391004186) and gitlab-org/security-products/sast-rules!150 (merged)
What are the relevant issue numbers?
Addresses gitlab-org/gitlab#411469 (closed)
Testing
Using https://gitlab.com/gitlab-gold/cmutua-security-group/typescript-fp.git
❯ docker run -it --rm -e SAST_EXPERIMENTAL_FEATURES=true -v $PWD:/tmp/app -w /tmp/app registry.gitlab.com/security-products/semgrep:4 /analyzer run
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
[INFO] [Semgrep] [2023-05-15T17:05:27Z] ▶ GitLab Semgrep analyzer v4.2.1
[INFO] [Semgrep] [2023-05-15T17:05:27Z] ▶ Detecting project
[INFO] [Semgrep] [2023-05-15T17:05:27Z] ▶ Analyzer will attempt to analyze all projects in the repository
[INFO] [Semgrep] [2023-05-15T17:05:27Z] ▶ Running analyzer
[INFO] [Semgrep] [2023-05-15T17:05:33Z] ▶ Creating report
❯ cat gl-sast-report.json | jq '.vulnerabilities | first | .identifiers | first'
{
"type": "semgrep_id",
"name": "eslint.detect-object-injection",
"value": "eslint.detect-object-injection",
"url": "https://semgrep.dev/r/gitlab.eslint.detect-object-injection"
}
❯ docker run -it --rm -e SAST_EXPERIMENTAL_FEATURES=true -v $PWD:/tmp/app -w /tmp/app semgrep:resuppress-detect-object-injection /analyzer run
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
[INFO] [Semgrep] [2023-05-15T17:04:56Z] ▶ GitLab Semgrep analyzer v4.2.1
[INFO] [Semgrep] [2023-05-15T17:04:56Z] ▶ Detecting project
[INFO] [Semgrep] [2023-05-15T17:04:56Z] ▶ Analyzer will attempt to analyze all projects in the repository
[INFO] [Semgrep] [2023-05-15T17:04:56Z] ▶ Running analyzer
[INFO] [Semgrep] [2023-05-15T17:05:02Z] ▶ Creating report
❯ cat gl-sast-report.json | jq '.vulnerabilities | first | .identifiers | first'
null
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Lucas Charles