Singular gosec rules should include -1
What does this MR do?
While updating semgrep to use sast-rules as the SSoT for gosec, I noticed the primary identifers were not the same between semgrep and sast-rules.
In semgrep the gosec rules primary identifiers included a -1
for all singular rules. This was not the case in sast-rules.
For example, the rule ID gosec.G102-1
:
- The sast-rules primary identifier is
gosec.G102
https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/db26bdfebe73cfac770fc1e4e17226ed77219da6/dist/gosec.yml#L1855 - The semgrep primary identifier is
gosec.G102-1
https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/922164cc729fe4540d34b66e8332c96961ec1ed3/rules/gosec.yml#L707
The primary identifiers published in semgrep must be preserved so that vulnerability findings in the monolith are not lost and recreated.
This MR updates the deploy script to remove the -1
from all rulesets other than gosec.
To fully illustrate this I've created two MRs in semgrep, each using different versions of the gosec rule pack.
MR1 uses current gosec rulepack. By looking at the diff you can see that gosec primary identifiers need to be updated in the expected JSON for the tests to pass.
MR2 uses the gosec rulepack in this MR. By looking at the diff you can see that gosec primary identifiers have not been updated in the expected JSON and the tests pass.