Skip to content

Draft: Document bugfix process

Adam Cohen requested to merge document-bugfix-process into main

What does this MR do?

  1. Documents the bugfix process.
  2. Adds a verification stage to the release_job to disallow creating a new release if a bugfix is in progress.

What are the relevant issue numbers?

Create process for fixing bugs in sast-rules (gitlab-org/gitlab#464264) • Adam Cohen, Tal Kopel • Backlog

Does this MR meet the acceptance criteria?

  • The test cases cover both positive and negative cases and have appropriate Semgrep annotations:
    • For positive cases: // ruleid: ...
    • For negative cases: // ok: ....
  • Prefer ($X.servlet.http.HttpServletResponse $RESP).addCookie($C) over $RESPONSE.addCookie($C) to avoid False-Positives.
  • Following metadata fields exist for the rule(s) added/updated in this MR:
    • owasp: with both 2017 and 2021 mappings
    • shortDescription: e.g: "Use of a broken or risky cryptographic algorithm NOT "Use of a Broken or Risky Cryptographic Algorithm"
    • security-severity: one of Info, Low, Medium, High or Critical
  • The message contains a secure code example and no insecure ones.
  • The rule is placed in the correct rules/ subfolder based on its license, refering to the internal guidance.
  • Relevant labels including workflow labels are appropriately selected.
  • The MR is freshly rebased with main.

Merge request reports