Sync new rules from upstream secure scanners
What does this MR do?
As a part of the Upstream Rule Synchronization process, this MR adds the below new rules from the upstream source that are missing in our current ruleset.
New rules added:
-
ESLint
security/detect-new-buffer
-
FindSecBugs
- Spring CSRF protection disabled (
SPRING_CSRF_PROTECTION_DISABLED
) - Potential SQL Injection (
SQL_INJECTION
) - Potential SQL Injection with Turbine (
SQL_INJECTION_TURBINE
) - Potential SQL/HQL Injection (Hibernate) (
SQL_INJECTION_HIBERNATE
) - Potential SQL Injection with Vert.x Sql Client (
SQL_INJECTION_VERTX
) XSS_REQUEST_PARAMETER_TO_SEND_ERROR
SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
- Spring CSRF protection disabled (
-
GoSec
-
G111
: Potential directory traversal -
G112
: Potential slowloris attack -
G113
: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772) -
G114
: Use of net/http serve function that has no support for setting timeouts
-
-
Bandit
-
B113
:request_without_timeout
-
B202
:tarfile_unsafe_members
-
B508
:snmp_insecure_version
-
B509
:snmp_weak_cryptography
-
B612
:logging_config_insecure_listen
-
B415
:import_pyghmi
-
Equivalent sast-rules
MRs:
- https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules/-/merge_requests/112 (ESLint/FindSecBugs/GoSec)
- https://gitlab.com/gitlab-org/secure/gsoc-sast-vulnerability-rules/playground/sast-rules/-/merge_requests/119 (Python)
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Lucas Charles