Add sobelow SAST analyzer
What does this MR do?
This MR adds an analyzer that does ~sast detection on elixir phoenix projects. sobelow
can also handle ~"dependency scanning" however that is disabled in this tool via module-loading.
A couple notes:
- Vulnerabilities are not well normalized, so the unique key I'm using is a slug of the
function_type
, used internally to identify a vulnerability category. This will be a list we have to maintain unfortunately. -
sobelow
lineNumbers report the affected function location not the vulnerability location. If we'd prefer to drop these as their misleading, we can. -
Config
module has some useful vulnerability detections however the exposed data is pretty vague and would require file traversal to identify therouter.ex
file (it's hardcoded withinsobelow
currently but could change). I think this would be a useful enhancement to detect things like secure headers, CSRF, etc, but will require more significant work. - I generated the fixtures using the standard
mix phx.new sample_app --no-ecto --no-webpack
scaffolding command. This might be overkill for the test expectations and I could prune off all the unneeded files but I was mixed on whether it should reflect a real app. That said, the test project should work fine for that.
What are the relevant issue numbers?
https://gitlab.com/gitlab-org/gitlab-ee/issues/9399
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/10527 -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Lucas Charles