1
0
Fork 0
mirror of https://github.com/OpenMW/openmw.git synced 2025-01-31 18:45:36 +00:00

Make use of Gitlab's SAST

https://docs.gitlab.com/ee/user/application_security/sast/
This commit is contained in:
jvoisin 2022-04-02 14:25:12 +00:00
parent 964f288c13
commit a8020d8076
2 changed files with 77 additions and 0 deletions

View file

@ -1,6 +1,10 @@
include:
- template: Security/SAST.gitlab-ci.yml
# Note: We set `needs` on each job to control the job DAG.
# See https://docs.gitlab.com/ee/ci/yaml/#needs
stages:
- test
- build
# https://blog.nimbleways.com/let-s-make-faster-gitlab-ci-cd-pipelines/
@ -10,6 +14,8 @@ variables:
# These can be specified per job or per pipeline
ARTIFACT_COMPRESSION_LEVEL: "fast"
CACHE_COMPRESSION_LEVEL: "fast"
SAST_EXCLUDED_ANALYZERS: bandit,eslint
SAST_EXCLUDED_PATHS: spec,test,tests,tmp,extern
.Ubuntu_Image:
tags:

71
.gitlab/sast-ruleset.toml Normal file
View file

@ -0,0 +1,71 @@
[flawfinder]
[[flawfinder.ruleset]]
disable = true
[flawfinder.ruleset.identifier]
type = "flawfinder_func_name"
value = "readlink" # openmw isn't a privileged process
[[flawfinder.ruleset]]
disable = true
[flawfinder.ruleset.identifier]
type = "flawfinder_func_name"
value = "access" # openmw isn't a privileged process
[[flawfinder.ruleset]]
disable = true
[flawfinder.ruleset.identifier]
type = "flawfinder_func_name"
value = "random" # duh.
[[flawfinder.ruleset]]
disable = true
[flawfinder.ruleset.identifier]
type = "flawfinder_func_name"
value = "getenv" # duh.
[[flawfinder.ruleset]]
disable = true
[flawfinder.ruleset.identifier]
type = "flawfinder_func_name"
value = "open" # openmw isn't a privileged process
[[flawfinder.ruleset]]
disable = true
[flawfinder.ruleset.identifier]
type = "flawfinder_func_name"
value = "char" # too many false positives
[[flawfinder.ruleset]]
disable = true
[flawfinder.ruleset.identifier]
type = "flawfinder_func_name"
value = "read" # too many false positives
[[flawfinder.ruleset]]
disable = true
[flawfinder.ruleset.identifier]
type = "flawfinder_func_name"
value = "snprintf" # too many false positives
[[flawfinder.ruleset]]
disable = true
[flawfinder.ruleset.identifier]
type = "flawfinder_func_name"
value = "strlen" # too many false positives
[[flawfinder.ruleset]]
disable = true
[flawfinder.ruleset.identifier]
type = "flawfinder_func_name"
value = "mkstemp" # openmw doesn't run on old Unix systems
[[flawfinder.ruleset]]
disable = true
[flawfinder.ruleset.identifier]
type = "flawfinder_func_name"
value = "fopen" # openmw isn't a privileged process
[[flawfinder.ruleset]]
disable = true
[flawfinder.ruleset.identifier]
type = "flawfinder_func_name"
value = "equal" # only false positives, sigh
[[flawfinder.ruleset]]
disable = true
[flawfinder.ruleset.identifier]
type = "flawfinder_func_name"
value = "_snprintf" # only false positives, sigh
[[flawfinder.ruleset]]
disable = true
[flawfinder.ruleset.identifier]
type = "flawfinder_func_name"
value = "printf" # only false positives, sigh