Addressing bandit feedback
Addressing feedback recorded in gitlab-org/gitlab#376025 (closed). While looking into these patterns, I went ahead and eliminated some more FP patterns.
Approach:
- Refined B610 to eliminate FP patterns
- We did not modify
B105
,B106
as they seem reasonable - Refined B108 to match the original patterns more accurately
- Use generic pattern matching for B110, B112 to support exception chains
- Broke down the single rule
B313, B314, B315, B316, B317, B318, B319, B320, B405, B406, B407, B408, B409, B410
into smaller pieces - Reduce the rules; the initial rules-set was based on a rule-set provided by r2c where we focused more on coverage than actual parity. We have to trim down some of the rules to match more accurately what bandit would return.
/cc @connorgilbert @amarpatel @gitlab-org/secure/vulnerability-research
Edited by Julian Thome