From a8020d8076985f6a357f2e1d842ac7ec147cb430 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Sat, 2 Apr 2022 14:25:12 +0000 Subject: [PATCH 1/2] Make use of Gitlab's SAST https://docs.gitlab.com/ee/user/application_security/sast/ --- .gitlab-ci.yml | 6 ++++ .gitlab/sast-ruleset.toml | 71 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 .gitlab/sast-ruleset.toml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5579fcc76b..5c0acda625 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,6 +1,10 @@ +include: + - template: Security/SAST.gitlab-ci.yml + # Note: We set `needs` on each job to control the job DAG. # See https://docs.gitlab.com/ee/ci/yaml/#needs stages: + - test - build # https://blog.nimbleways.com/let-s-make-faster-gitlab-ci-cd-pipelines/ @@ -10,6 +14,8 @@ variables: # These can be specified per job or per pipeline ARTIFACT_COMPRESSION_LEVEL: "fast" CACHE_COMPRESSION_LEVEL: "fast" + SAST_EXCLUDED_ANALYZERS: bandit,eslint + SAST_EXCLUDED_PATHS: spec,test,tests,tmp,extern .Ubuntu_Image: tags: diff --git a/.gitlab/sast-ruleset.toml b/.gitlab/sast-ruleset.toml new file mode 100644 index 0000000000..fb111405fa --- /dev/null +++ b/.gitlab/sast-ruleset.toml @@ -0,0 +1,71 @@ +[flawfinder] + [[flawfinder.ruleset]] + disable = true + [flawfinder.ruleset.identifier] + type = "flawfinder_func_name" + value = "readlink" # openmw isn't a privileged process + [[flawfinder.ruleset]] + disable = true + [flawfinder.ruleset.identifier] + type = "flawfinder_func_name" + value = "access" # openmw isn't a privileged process + [[flawfinder.ruleset]] + disable = true + [flawfinder.ruleset.identifier] + type = "flawfinder_func_name" + value = "random" # duh. + [[flawfinder.ruleset]] + disable = true + [flawfinder.ruleset.identifier] + type = "flawfinder_func_name" + value = "getenv" # duh. + [[flawfinder.ruleset]] + disable = true + [flawfinder.ruleset.identifier] + type = "flawfinder_func_name" + value = "open" # openmw isn't a privileged process + [[flawfinder.ruleset]] + disable = true + [flawfinder.ruleset.identifier] + type = "flawfinder_func_name" + value = "char" # too many false positives + [[flawfinder.ruleset]] + disable = true + [flawfinder.ruleset.identifier] + type = "flawfinder_func_name" + value = "read" # too many false positives + [[flawfinder.ruleset]] + disable = true + [flawfinder.ruleset.identifier] + type = "flawfinder_func_name" + value = "snprintf" # too many false positives + [[flawfinder.ruleset]] + disable = true + [flawfinder.ruleset.identifier] + type = "flawfinder_func_name" + value = "strlen" # too many false positives + [[flawfinder.ruleset]] + disable = true + [flawfinder.ruleset.identifier] + type = "flawfinder_func_name" + value = "mkstemp" # openmw doesn't run on old Unix systems + [[flawfinder.ruleset]] + disable = true + [flawfinder.ruleset.identifier] + type = "flawfinder_func_name" + value = "fopen" # openmw isn't a privileged process + [[flawfinder.ruleset]] + disable = true + [flawfinder.ruleset.identifier] + type = "flawfinder_func_name" + value = "equal" # only false positives, sigh + [[flawfinder.ruleset]] + disable = true + [flawfinder.ruleset.identifier] + type = "flawfinder_func_name" + value = "_snprintf" # only false positives, sigh + [[flawfinder.ruleset]] + disable = true + [flawfinder.ruleset.identifier] + type = "flawfinder_func_name" + value = "printf" # only false positives, sigh From 52743dadf311ad002f38bae3c707cd21c0cc408e Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 5 Apr 2022 18:35:09 +0000 Subject: [PATCH 2/2] Update .gitlab-ci.yml --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5c0acda625..5cde48b096 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -14,7 +14,7 @@ variables: # These can be specified per job or per pipeline ARTIFACT_COMPRESSION_LEVEL: "fast" CACHE_COMPRESSION_LEVEL: "fast" - SAST_EXCLUDED_ANALYZERS: bandit,eslint + SAST_EXCLUDED_ANALYZERS: "bandit" SAST_EXCLUDED_PATHS: spec,test,tests,tmp,extern .Ubuntu_Image: