fix: Add missing suffix to bandit rule subset
What does this MR do?
With the merge of !192 (merged) we missed a few suffixes on bandit identifiers
-
typebug correct
bandit
primary identifiers -
typemaintenance standardize mappings to always utilize
metadata.primary_identifier
for prepackaged rules: limitid
usage to only rules without metadata - Add CI job to validate schemas for above typemaintenance
Hopefully the added script is short-lived until we can copy over the sast-rules
files but I wanted some validation in place before then. You can see the latest pipeline for semgrep-rules-yaml-validation
to see how it works but for clarity here's a failing case:
❯ for f in "find_sec_bugs.yml"; do ruby semgrep_rules_check/find_nonmatching_rule_ids.rb rules/$f; done
[WARN] YAML validation failed for rules/find_sec_bugs.yml
[WARN] noncompliant rules:
id: find_sec_bugs.PATH_TRAVERSAL_OUT-1.PATH_TRAVERSAL_OUT-1
primary_identifier: find_sec_bugs.PATH_TRAVERSAL_OUT-1.PATH_TRAVERSAL_OUT-1
secondary_identifier_count: 1
[ERROR] YAML validation failed for rules/find_sec_bugs.yml
[ERROR] noncompliant rules:
id: find_sec_bugs.XXE_XPATH-1.XXE_DOCUMENT-1
primary_identifier: find_sec_bugs.XXE_XPATH-1
secondary_identifier_count: 2
❯ echo $?
1
What are the relevant issue numbers?
Relates to https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/issues/125
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Lucas Charles