Enable brakeman rules
What does this MR do?
Following the implementation plan #450358, this MR does the below to enable brakeman rules in sast-rules.
- Create the mapping file
mappings/brakeman.yml
, where the primary ID for each brakeman rule is either identified in the gl-sast-report.json or by manually matching the warning code and semgrep rules in sast-rules. - Test the takeover
- Create a test repo that contains both brakeman's testing apps and tests paired with each semgrep rule.
- Create the semgrep image: Release sast-rules package and generate semgrep image using gitlab-org/security-products/analyzers/semgrep@ca5aa48e
- Apply semgrep to the test repo
- Brakeman report is here
- Semgrep report is here
- The takeover is overall confirmed, with only one missing true bug (refined the semgrep rules to fix it) and eight missing FPs
-
A script to compare the brakeman report and semgrep report, which is triggered in the pipeline of the test repo to produce the diff
- Takeover criteria: A bug reported by brakeman is considered taken-over if its line number falls in the range between start_line and end_line of a bug reported by semgrep
-
A script to compare the brakeman report and semgrep report, which is triggered in the pipeline of the test repo to produce the diff
- Details are documented here
-
Modify
ci/deploy.rb
What are the relevant issue numbers?
Edited by Hua Yan