Draft: Add missing -1 to bandit rules
What does this MR do?
While updating semgrep to use sast-rules as the SSoT for bandit, I noticed the primary identifiers were not the same between semgrep and sast-rules.
In semgrep the bandit rules primary identifiers included a -1 for all singular rules. This was not the case in sast-rules.
For example, the rule ID bandit.B301-1:
- The sast-rules primary identifier is
bandit.B301https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/4b128e4284c59112072340af6271830ad831d7f3/dist/bandit.yml#L517 - The semgrep primary identifier is
bandit.B301-1https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/74ad0c053900fce43dccd8bdf158ed1399aca024/rules/bandit.yml#L548
The primary identifiers published in semgrep must be preserved so that vulnerability findings in the monolith are not lost and recreated.
This MR updates the deploy script to remove the -1 from all rulesets other than bandit.
To fully illustrate this I've created two MRs in semgrep, each using different versions of the bandit rule pack.
MR1 uses the current bandit rulepack. By looking at the diff you can see that bandit primary identifiers need to be updated in the expected JSON for the tests to pass.
MR2 uses the bandit rulepack in this MR. By looking at the diff you can see that bandit primary identifiers have not been updated in the expected JSON and the tests pass.