Skip to content

import mobsf rules

Hua Yan requested to merge huayan-import-mobsf-rules into main

What does this MR do?

This MR is a step in migrating mobsf to Semgrep. It copies a selection of rules from mobsf to sast-rules to deprecate mobsf.

The selection of rules copied follows gitlab-org/gitlab#444289 (comment 1800533977), using some mobsfscan semgrep rules to replace mobsf rules if the latter is in regex form and without paired test cases.

The mobsf rules are licensed under LGPL and so must be in their own directory, at the root of which is the LGPL LICENSE file.

The generated ruleset must also have the LGPL license, so the deploy script adds the path dist/lgpl, adds a LICENSE file to that directory and then builds all mobsf scan ruleset in that directory.

Testing

  1. The sast-rules is released here, and testing is perform using the semgrep image created by gitlab-org/security-products/analyzers/semgrep@b41b4558.
  2. Low-quality rules are removed by testing against test repo 1 (report 1), test repo 2 (report 2), test repo 3 (report 3), and test repo 4 (report 4).
  3. Takeover test results are in the second tab of each report (1, 2, 3, 4).

This MR does not create a mobsf ruleset in the dist directory, only adds the lgpl directory and LICENSE file. The ruleset itself will be added in a follow-up MR when they're ready to be released.

What are the related issue numbers?

gitlab-org/gitlab#450925

Edited by Hua Yan

Merge request reports