Draft: Copy all sast-rules files into final image
What does this MR do?
This MR changes the series of cp dist/ONE-SPECIFIC-FILE /rules
invocations into a single cp -r
.
This corrects a problem where some rules that have been added to sast-rules
were not being added to the analyzer, and hence not scanned.
By inspecting the code I realized that the cp
calls omitted:
- gitlab/gitlab_ee_java.yml
- lgpl-cc/gitlab_lgpl_cc_java.yml
- lgpl-cc/gitlab_lgpl_cc_javascript.yml
- lgpl-cc/gitlab_lgpl_cc_python.yml
The analyzer image has:
% docker run --rm -it registry.gitlab.com/security-products/semgrep:5 sh
/ # ls -1 /rules
bandit.yml
brakeman.yml
eslint.yml
find_sec_bugs.yml
find_sec_bugs_kotlin.yml
find_sec_bugs_scala.yml
flawfinder.yml
gosec.yml
mobsf.yml
nodejs_scan.yml
phpcs_security_audit.yml
security_code_scan.yml
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests updated/added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Connor Gilbert