Get rid of Gitlab SAST

It's completely broken currently, beside being useless: grepping C++ code to find problem isn't SAST, it's noise.
3 years ago · 9067db523b
parent 5c8ca4c7b9
commit 9067db523b
2 changed files with 0 additions and 88 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,14 +1,10 @@
 default:
  interruptible: true

-include:
-  - template: Security/SAST.gitlab-ci.yml
-
 # Note: We set `needs` on each job to control the job DAG.
 # See https://docs.gitlab.com/ee/ci/yaml/#needs
 stages:
  - build
-  - test

 # https://blog.nimbleways.com/let-s-make-faster-gitlab-ci-cd-pipelines/
 variables:
@ -17,14 +13,6 @@ variables:
  # These can be specified per job or per pipeline
  ARTIFACT_COMPRESSION_LEVEL: "fast"
  CACHE_COMPRESSION_LEVEL: "fast"
-  SAST_EXCLUDED_ANALYZERS: "bandit"
-  SAST_EXCLUDED_PATHS: "extern"
-
-sast:
-  tags:
-    - docker
-    - linux
-  needs: []

 .Ubuntu_Image:
  tags:
--- a/.gitlab/sast-ruleset.toml
+++ b/.gitlab/sast-ruleset.toml
@ -1,76 +0,0 @@
-[flawfinder]
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "readlink"  # openmw isn't a privileged process
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "access"  # openmw isn't a privileged process
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "random"  # duh.
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "getenv"  # duh.
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "open" # openmw isn't a privileged process
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "char"  # too many false positives
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "read"  # too many false positives
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "snprintf"  # too many false positives
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "strlen"  # too many false positives
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "mkstemp"  # openmw doesn't run on old Unix systems
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "fopen"   # openmw isn't a privileged process
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "equal"  # only false positives, sigh
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "_snprintf"  # only false positives, sigh
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "printf"  # only false positives, sigh
-	[[flawfinder.ruleset]]
-		disable = true
-		[flawfinder.ruleset.identifier]
-			type = "flawfinder_func_name"
-			value = "system"  # only false positives, sigh