Enable NodeJS Scan
What does this MR do?
This MR updates the nodeJS scan mappings and updates the deploy script so that the ruleset is built.
- Update the NodeJS mappings by setting the id to the rule description. This means the secondary id will equal the rule description as is the case for NodeJS Scan Analyzer
- Add NID (Native ID), as a mapping variable. This allows for the secondary ID name field to use the rules ID, rather than the rules description. This improves the readability or vulnerabilities in the monolith
Testing
This version of sast-rules has been released in https://gitlab.com/gitlab-org/security-products/sast-rules/-/packages/24047814 and installed into semgrep/tmp:1f93eafb52c4294df1f1aeb45ef55810ed446f23, which was created using gitlab-org/security-products/analyzers/semgrep!389 (closed).
A testing project was then created which copies the contents of https://gitlab.com/gitlab-org/security-products/tests/sast-rules-apps/javascript-web-apps, which is used by VR for testing Javascript vulnerabilities. Both semgrep and NodeJS scan were then run on the project to ensure semgrep took over the vulnerabilities.
You can view the generated gl-sast-report.json at:
If finding takeover is working as expected, most if not all of the vulnerabilities found in the test project should be from semgrep. This isn't the case. Of the 92 njsscan findings reported, 28 have not been taken over, although there's a legitimate reason for each. Most are not detected by semgrep, as the rule has been updated or removed, the rest do not match because the location returned by nodejs scan is a range, where as semgrep only returns a single line.