Make use of Gitlab's SAST

https://docs.gitlab.com/ee/user/application_security/sast/
2025-01-31 18:45:36 +00:00 · 2022-04-02 14:25:12 +00:00 · 2022-04-02 14:25:12 +00:00 · a8020d8076
commit a8020d8076
parent 964f288c13
2 changed files with 77 additions and 0 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,6 +1,10 @@
+include:
+  - template: Security/SAST.gitlab-ci.yml
+
 # Note: We set `needs` on each job to control the job DAG.
 # See https://docs.gitlab.com/ee/ci/yaml/#needs
 stages:
+  - test
  - build

 # https://blog.nimbleways.com/let-s-make-faster-gitlab-ci-cd-pipelines/
@ -10,6 +14,8 @@ variables:
  # These can be specified per job or per pipeline
  ARTIFACT_COMPRESSION_LEVEL: "fast"
  CACHE_COMPRESSION_LEVEL: "fast"
+  SAST_EXCLUDED_ANALYZERS: bandit,eslint
+  SAST_EXCLUDED_PATHS: spec,test,tests,tmp,extern

 .Ubuntu_Image:
  tags:
--- a/.gitlab/sast-ruleset.toml
+++ b/.gitlab/sast-ruleset.toml
@ -0,0 +1,71 @@
+[flawfinder]
+	[[flawfinder.ruleset]]
+		disable = true
+		[flawfinder.ruleset.identifier]
+			type = "flawfinder_func_name"
+			value = "readlink"  # openmw isn't a privileged process
+	[[flawfinder.ruleset]]
+		disable = true
+		[flawfinder.ruleset.identifier]
+			type = "flawfinder_func_name"
+			value = "access"  # openmw isn't a privileged process
+	[[flawfinder.ruleset]]
+		disable = true
+		[flawfinder.ruleset.identifier]
+			type = "flawfinder_func_name"
+			value = "random"  # duh.
+	[[flawfinder.ruleset]]
+		disable = true
+		[flawfinder.ruleset.identifier]
+			type = "flawfinder_func_name"
+			value = "getenv"  # duh.
+	[[flawfinder.ruleset]]
+		disable = true
+		[flawfinder.ruleset.identifier]
+			type = "flawfinder_func_name"
+			value = "open" # openmw isn't a privileged process
+	[[flawfinder.ruleset]]
+		disable = true
+		[flawfinder.ruleset.identifier]
+			type = "flawfinder_func_name"
+			value = "char"  # too many false positives
+	[[flawfinder.ruleset]]
+		disable = true
+		[flawfinder.ruleset.identifier]
+			type = "flawfinder_func_name"
+			value = "read"  # too many false positives
+	[[flawfinder.ruleset]]
+		disable = true
+		[flawfinder.ruleset.identifier]
+			type = "flawfinder_func_name"
+			value = "snprintf"  # too many false positives
+	[[flawfinder.ruleset]]
+		disable = true
+		[flawfinder.ruleset.identifier]
+			type = "flawfinder_func_name"
+			value = "strlen"  # too many false positives
+	[[flawfinder.ruleset]]
+		disable = true
+		[flawfinder.ruleset.identifier]
+			type = "flawfinder_func_name"
+			value = "mkstemp"  # openmw doesn't run on old Unix systems
+	[[flawfinder.ruleset]]
+		disable = true
+		[flawfinder.ruleset.identifier]
+			type = "flawfinder_func_name"
+			value = "fopen"   # openmw isn't a privileged process
+	[[flawfinder.ruleset]]
+		disable = true
+		[flawfinder.ruleset.identifier]
+			type = "flawfinder_func_name"
+			value = "equal"  # only false positives, sigh
+	[[flawfinder.ruleset]]
+		disable = true
+		[flawfinder.ruleset.identifier]
+			type = "flawfinder_func_name"
+			value = "_snprintf"  # only false positives, sigh
+	[[flawfinder.ruleset]]
+		disable = true
+		[flawfinder.ruleset.identifier]
+			type = "flawfinder_func_name"
+			value = "printf"  # only false positives, sigh