Generate manifest file that includes meta-information about the rules
What does this MR do?
Generates a manifest file that includes the SHA-256 checksums for the rule files included in the sast-rules.zip
file. It also includes the version number in the artifact names.
The manifest.txt
file includes the individual rule file checksums as well as the combined checksums. Once this is integrated, we can update semgrep to validate the included rule checksums against the manifest file. Add a test or review step that explicitly check... (gitlab-org/gitlab#463607) • Julian Thome • 17.2 • At risk explains the approach in more detail
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
The test cases cover both positive and negative cases and have appropriate Semgrep annotations: - For positive cases:
// ruleid: ...
- For negative cases:
// ok: ....
- For positive cases:
-
Prefer ($X.servlet.http.HttpServletResponse $RESP).addCookie($C)
over$RESPONSE.addCookie($C)
to avoid False-Positives. -
Following metadata fields exist for the rule(s) added/updated in this MR: -
owasp:
with both 2017 and 2021 mappings -
shortDescription:
e.g:"Use of a broken or risky cryptographic algorithm
NOT"Use of a Broken or Risky Cryptographic Algorithm"
-
security-severity:
one ofInfo
,Low
,Medium
,High
orCritical
-
-
The message contains a secure code example and no insecure ones. -
The rule is placed in the correct rules/
subfolder based on its license, refering to the internal guidance. -
Relevant labels including workflow labels are appropriately selected. -
The MR is freshly rebased with main
.
Edited by Julian Thome