Adding new rule node-libcurl insecure SSL and test file (!497) · Merge requests · GitLab.org / security-products / sast-rules

Bhavya Kaushal requested to merge new-rule-node-libcurl into main Mar 27, 2024

What does this MR do?

This MR creates a new semgrep rule to identify Disabled SSL certificate and hostname verification using node-libcurl library for Javascript. It also adds corresponding test case file.

What are the relevant issue numbers?

gitlab-org/gitlab#440261 (comment 1791115486)

Does this MR meet the acceptance criteria?

The test cases cover both positive and negative cases and are also annotated with appropriate semgrep annotations:
- For positive cases: // ruleid: ...
- For negative cases: // ok: ....
Following metadata fields exist for the rule(s) added/updated in this MR:
- owasp with both 2017 and 2021 mappings.
- category: "security"
- cwe
- shortDescription
- security-severity
The message field is valid and contains a secure code example.
Applicable license is mentioned in the rule if embedded/taken from external source.
Relevant labels including workflow labels are appropriately selected.

Edited Mar 27, 2024 by Bhavya Kaushal

Adding new rule node-libcurl insecure SSL and test file

What does this MR do?

What are the relevant issue numbers?

Does this MR meet the acceptance criteria?

Merge request reports