From 9067db523b092e592e21b7f38f0c293cc86f8611 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Mon, 13 Jun 2022 20:10:25 +0200 Subject: [PATCH] Get rid of Gitlab SAST It's completely broken currently, beside being useless: grepping C++ code to find problem isn't SAST, it's noise. --- .gitlab-ci.yml | 12 ------- .gitlab/sast-ruleset.toml | 76 --------------------------------------- 2 files changed, 88 deletions(-) delete mode 100644 .gitlab/sast-ruleset.toml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4ae7b4bb45..b012e07440 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,14 +1,10 @@ default: interruptible: true -include: - - template: Security/SAST.gitlab-ci.yml - # Note: We set `needs` on each job to control the job DAG. # See https://docs.gitlab.com/ee/ci/yaml/#needs stages: - build - - test # https://blog.nimbleways.com/let-s-make-faster-gitlab-ci-cd-pipelines/ variables: @@ -17,14 +13,6 @@ variables: # These can be specified per job or per pipeline ARTIFACT_COMPRESSION_LEVEL: "fast" CACHE_COMPRESSION_LEVEL: "fast" - SAST_EXCLUDED_ANALYZERS: "bandit" - SAST_EXCLUDED_PATHS: "extern" - -sast: - tags: - - docker - - linux - needs: [] .Ubuntu_Image: tags: diff --git a/.gitlab/sast-ruleset.toml b/.gitlab/sast-ruleset.toml deleted file mode 100644 index 543ceb4ca7..0000000000 --- a/.gitlab/sast-ruleset.toml +++ /dev/null @@ -1,76 +0,0 @@ -[flawfinder] - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "readlink" # openmw isn't a privileged process - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "access" # openmw isn't a privileged process - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "random" # duh. - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "getenv" # duh. - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "open" # openmw isn't a privileged process - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "char" # too many false positives - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "read" # too many false positives - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "snprintf" # too many false positives - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "strlen" # too many false positives - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "mkstemp" # openmw doesn't run on old Unix systems - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "fopen" # openmw isn't a privileged process - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "equal" # only false positives, sigh - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "_snprintf" # only false positives, sigh - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "printf" # only false positives, sigh - [[flawfinder.ruleset]] - disable = true - [flawfinder.ruleset.identifier] - type = "flawfinder_func_name" - value = "system" # only false positives, sigh