Include -1 in primary ID for find sec bugs and security code scan
What does this MR do?
While updating semgrep to use sast-rules as the SSoT, I noticed the primary identifers were not the same between semgrep and sast-rules.
In semgrep the find_sec_bugs and security_code_scan, the rules primary identifiers included a -1
for all singular rules. This was not the case in sast-rules.
For example
find_sec_bugs rule ID find_sec_bugs.HTTPONLY_COOKIE-1
:
- The sast-rules primary identifier is
find_sec_bugs.HTTPONLY_COOKIE
https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/bfb90e333b7eae4c88d3967e1ddf4fec230e211b/dist/find_sec_bugs.yml#L33 - The semgrep primary identifier is
find_sec_bugs.HTTPONLY_COOKIE-1
https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/74ad0c053900fce43dccd8bdf158ed1399aca024/rules/find_sec_bugs.yml#L33
and in security_code_scan, the rule ID security_code_scan.SCS0001-1
- The sast-rules primary identifier is
security_code_scan.SCS0001
https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/bfb90e333b7eae4c88d3967e1ddf4fec230e211b/dist/security_code_scan.yml#L715 - The semgrep primary identifier is
security_code_scan.SCS0001-1
https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/74ad0c053900fce43dccd8bdf158ed1399aca024/rules/security_code_scan.yml#L365
The primary identifiers published in semgrep must be preserved so that vulnerability findings in the monolith are not lost and recreated.
This MR updates the deploy script to include the -1
for both find_sec_bugs and security_code_scan.
Related Issues?
Edited by Craig Smith