Singular flawfinder rules should include -1
What does this MR do?
While updating semgrep to use sast-rules as the SSoT for flawfinder, I noticed the primary identifers were not the same between semgrep and sast-rules.
In semgrep the flawfinder rules primary identifiers included a -1 for all singular rules. This was not the case in sast-rules.
For example, the rule ID flawfinder.AddAccessAllowedAce-1:
- The sast-rules primary identifier is
flawfinder.AddAccessAllowedAcehttps://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/086e7c579f2b141eb67005e62a6ed4b7c46be5ad/dist/flawfinder.yml#L1491 - The semgrep primary identifier is
flawfinder.AddAccessAllowedAce-1https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/3b0edea0e76897a4d394b12d7ee82f651a159b27/rules/flawfinder.yml#L1180
The primary identifiers published in semgrep must be preserved so that vulnerability findings in the monolith are not lost and recreated.
This MR updates the deploy script to remove the -1 from all rulesets other than flawfinder.
To fully illustrate this I've created two MRs in semgrep, each using different versions of the flawfinder rule pack.
MR1 uses current flawfinder rulepack. By looking at the diff you can see that flawfinder primary identifiers need to be updated in the expected JSON for the tests to pass.
MR2 uses the flawfinder rulepack in this MR. By looking at the diff you can see that flawfinder primary identifiers have not been updated in the expected JSON and the tests pass.