Hardcode bandit ids and primary ids (!163) · Merge requests · GitLab.org / security-products / sast-rules

Craig Smith requested to merge craigmsmith-hardcode-bandit-ids into main Jun 05, 2023

This MR hardcodes the bandit ids and primary identifiers in the mapping file and updates the deploy script to use the id when it is set.

This change should have no effect on the generated rules, as all the IDs and primary IDs are the same as those already in the ruleset. This change will allow me to manually update the IDs and primary identifiers that do not match the semgrep IDs and primary identifiers.

These changes were made using this script:

Dir.glob('mappings/*.yml').each do |mapping_file|
  ruleset = File.basename(mapping_file, '.yml')
  next unless ruleset == 'bandit'
  mappings = YAML.safe_load(File.read(mapping_file))
  mappings[ruleset]['mappings'].each do |mapping|

    mapping['rules'].each_with_index do |rule, idx|
      next if rule.key? 'primary_id'
      primary_id = "#{ruleset}.#{mapping['id']}-#{idx+1}"
      primary_id = "#{ruleset}.#{mapping['id']}" if mapping['rules'].one?
      primary_id = "#{ruleset}.#{mapping['id']}" if idx == 0
      rule['primary_id'] = primary_id

      id = "#{ruleset}.#{mapping['id']}-#{idx+1}"
      rule['id'] = id
    end
  end

  # Write the new primary IDs
  File.open(mapping_file, 'w') do |file|
    file.write(mappings.to_yaml)
  end

  # fix the formatting
  mappings = File.read(mapping_file)
  mappings.gsub!(/: ([^"].+)$/, ': "\1"')
  File.open(mapping_file, 'w') do |file|
    file.write(mappings)
  end
end

I've decided not to commit this script as I don't see a need to run it repeatedly (although a version of this will be used to set the IDs for all the other rulesets).

Edited Jun 06, 2023 by Craig Smith

Hardcode bandit ids and primary ids

Merge request reports