Upgrade sast rules 2.0.10
What does this MR do?
- Upgrade SAST Rules to v2.0.10
- Remove FP Reduction spec. This spec was used to test VET fault-positive reduction, however, the rule VET would identifier as an FP has been updated and no longer creates FPs. Therefore the spec and fixture is no longer used and has been removed as part of this MR. This leaves a testing gap that will be addressed in a follow-up MR. See !365 (comment 1746887068)
- Remove
qa/fixtures/csharp/dotnetcore-msbuild/ServiceA/ServiceA.cs
as it's no longer used to identify any vulnerabilities
BAP changes summary
"Exposure of sensitive information to an unauthorized actor": {
"SourceTotal": 9,
"TargetTotal": 44,
"Lang": "Go",
"Project": "",
"Severity": "Medium"
},
"Improper Authorization in Handler for Custom URL Scheme": {
"SourceTotal": 74,
"TargetTotal": 69,
"Lang": "Python",
"Project": "",
"Severity": "Medium"
},
"Improper limitation of a pathname to a restricted directory ('Path Traversal')": {
"SourceTotal": 1376,
"TargetTotal": 832,
"Lang": "Go",
"Project": "",
"Severity": "Medium"
},
"Improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting')": {
"SourceTotal": 42,
"TargetTotal": 51,
"Lang": "Java",
"Project": "",
"Severity": "Critical"
},
"Improper neutralization of directives in dynamically evaluated code ('Eval Injection')": {
"SourceTotal": 219,
"TargetTotal": 200,
"Lang": "JS/TS",
"Project": "",
"Severity": "Medium"
},
"Incorrect permission assignment for critical resource": {
"SourceTotal": 294,
"TargetTotal": 687,
"Lang": "Go",
"Project": "",
"Severity": "Medium"
},
"Incorrect type conversion or cast": {
"SourceTotal": 3,
"TargetTotal": 7,
"Lang": "Java",
"Project": "",
"Severity": "Medium"
},
"Weak password requirements": {
"SourceTotal": 0,
"TargetTotal": 7,
"Lang": "C#",
"Project": "",
"Severity": "Medium"
},
What are the relevant issue numbers?
NA
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests updated/added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Craig Smith