SAST for JavaScript

Problem to solve

JavaScript projects are not supported by the current SAST analyzers, and so they cannot be checked for vulnerabilities.

Node.js is already supported, but it doesn't cover generic JavaScript projects.

Proposal

Create a new SAST analyzer to cover generic JavaScript projects, and integrate it into our current SAST tool so it will be available out of the box for all our users.

Tasks

• Evaluate the tool
• Implement the new analyzer
• Update test projects to use the new analyzer (https://gitlab.com/gitlab-org/security-products/tests)
• Update QA (https://gitlab.com/gitlab-org/security-products/tests/common#security-products-test-projects)
• Update Docs
  • https://docs.gitlab.com/ee/user/project/merge_requests/sast.html
  • https://gitlab.com/gitlab-org/security-products/sast/blob/master/docs/analyzers.md
  • https://docs.google.com/presentation/d/1z4v6v_lP7BHCP2jfRJ9bK_XoUgQ9XW01X2ZhQcon8bY/edit#slide=id.g2823c3f9ca_0_9

What does success look like, and how can we measure that?

The number of vulnerabilities found by the JavaScript analyzer.