Synchronize new upstream rules in the ruleset (!112) · Merge requests · GitLab.org / security-products / sast-rules

What this MR does?

As a part of the Upstream Rule Synchronization process, this MR adds the below new rules from the upstream source that are missing in our current ruleset.

New rules added:

ESLint
- security/detect-new-buffer
FindSecBugs
- Spring CSRF protection disabled (SPRING_CSRF_PROTECTION_DISABLED)
- Potential SQL Injection (SQL_INJECTION)
- Potential SQL Injection with Turbine (SQL_INJECTION_TURBINE)
- Potential SQL/HQL Injection (Hibernate) (SQL_INJECTION_HIBERNATE)
- Potential SQL Injection with Vert.x Sql Client (SQL_INJECTION_VERTX)
- XSS_REQUEST_PARAMETER_TO_SEND_ERROR
- SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
GoSec
- G111: Potential directory traversal
- G112: Potential slowloris attack
- G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
- G114: Use of net/http serve function that has no support for setting timeouts
Bandit
- B113: request_without_timeout
- B202: tarfile_unsafe_members
- B508: snmp_insecure_version
- B509: snmp_weak_cryptography
- B612: logging_config_insecure_listen
- B415: import_pyghmi

Relevant Issue Numbers

Update converted SAST analyzers with new rules ... (gitlab-org/gitlab#373117 - closed)

/cc @gitlab-org/secure/vulnerability-research

Edited Jan 25, 2023 by Julian Thome

Synchronize new upstream rules in the ruleset

What this MR does?

Relevant Issue Numbers

Merge request reports