Skip to content

Make secondary identifiers match for finding

rossfuhrman requested to merge 353271-option-4 into master

What does this MR do and why?

This MR allows semgrep findings to take over findings for existing analyzers. This is being done in support of deprecating some Static Analysis analyzers.

Issue: #328062 (closed)

This started as a proof-of-concept for #353271 (closed)

Feature Flag: update_vuln_identifiers_flag

Database Timings

Demo

https://drive.google.com/file/d/1F2J1Xjti_rm48gksU9-lg39kwatCSEX0/view?usp=sharing

This is a Quicktime video internal to GitLab. I would suggest View -> Playback Speed -> Double to speed up my ummms and awkward pauses 😅

How to set up and validate locally

  1. In rails console enable the feature flag
    Feature.enable(:update_vuln_identifiers_flag)
  2. Import this project locally: https://gitlab.com/rossfuhrman/insecure
  3. Run a Pipeline against the main (default) branch
  4. Edit the .gitlab-ci.yml on the main branch and remove semgrep from SAST_EXCLUDED_ANALYZERS
  5. Ensure another pipeline runs on the main branch
  6. Notice that previous vulnerabilities are now reported as semgrep vulnerabilities.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by rossfuhrman

Merge request reports

Loading