Monthly dependency updates for 16.10
What does this MR do?
- upgrade
Semgrep
version [1.56.0
=>1.61.1
] - upgrade
gitlab.com/gitlab-org/security-products/analyzers/ruleset/v2
version [v2.0.6
=>v2.0.7
]
CHANGELOG is generated by SASTBot.
This MR replaces !372 (closed) because that MR didn't include the latest semgrep and BAP wasn't running.
BAP changes
BAP failed as part of this semgrep upgrade meaning the upgrade has caused a change in the number of vulnerabilities found.
All vulnerabilities with different counts
"Easily misused function may lead to buffer overflows"
{"SourceTotal"=>29,
"TargetTotal"=>31,
"Lang"=>"C",
"Project"=>"",
"Severity"=>"Info"}
"Function does not check for buffer overflows when copying"
{"SourceTotal"=>5191,
"TargetTotal"=>5194,
"Lang"=>"C",
"Project"=>"",
"Severity"=>"Info"}
"Function does not handle null terminated strings properly"
{"SourceTotal"=>3399,
"TargetTotal"=>3407,
"Lang"=>"C",
"Project"=>"",
"Severity"=>"Info"}
"Insecure function unable to limit / check buffer sizes"
{"SourceTotal"=>292,
"TargetTotal"=>295,
"Lang"=>"C",
"Project"=>"",
"Severity"=>"Critical"}
"Possible use of untrusted environment variable"
{"SourceTotal"=>372,
"TargetTotal"=>371,
"Lang"=>"C",
"Project"=>"",
"Severity"=>"Medium"}
"Potential format string vulnerability"
{"SourceTotal"=>542,
"TargetTotal"=>650,
"Lang"=>"C",
"Project"=>"",
"Severity"=>"Critical"}
"Potential time of check time of use vulnerability (readlink)"
{"SourceTotal"=>11,
"TargetTotal"=>10,
"Lang"=>"C",
"Project"=>"",
"Severity"=>"Critical"}
The most noticeable change is in
Potential format string vulnerability
{"SourceTotal"=>542,
"TargetTotal"=>650,
"Lang"=>"C",
"Project"=>"",
"Severity"=>"Critical"}
which looks to be https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/fd89824d784b3f91758b658f93e7ce404b1c6983/c/format/rule-fprintf-vfprintf.yml
This change occurred in https://github.com/semgrep/semgrep/releases/tag/v1.60.0
Example of finding that is no longer detected
"Potential format string vulnerability"
{"RepoPath"=>"https://github.com/git/git.git/refs/files-backend.c",
"Filename"=>"refs/files-backend.c",
"LineStart"=>3079,
"LineEnd"=>0,
"Value"=>"Potential format string vulnerability",
"Type"=>"Potential format string vulnerability",
"RuleID"=>
"flawfinder.fprintf-1.vfprintf-1._ftprintf-1._vftprintf-1.fwprintf-1.fvwprintf-1::refs/files-backend.c:3079",
"Snippet"=>"",
"ID"=>
"flawfinder.fprintf-1.vfprintf-1._ftprintf-1._vftprintf-1.fwprintf-1.fvwprintf-1::refs/files-backend.c:3079",
"Severity"=>"Critical",
"Source"=>false,
"Target"=>true}
Source file: https://github.com/git/git/blob/3e0d3cd5c7def4808247caf168e17f2bbf47892b/refs/files-backend.c#L3079
Previously vulnerable line of code:
fprintf(cb->newlog, "%s %s %s %"PRItime" %+05d\t%s", oid_to_hex(ooid),
Note: VR reviewed this issue and have deemed it not to be a problem. !374 (comment 1778291628). Because of this BAP has been disabled for the latest CI build.
What are the relevant issue numbers?
- +
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer