mirror of
https://github.com/OpenMW/openmw.git
synced 2025-01-31 18:45:36 +00:00
Make use of Gitlab's SAST
https://docs.gitlab.com/ee/user/application_security/sast/
This commit is contained in:
parent
964f288c13
commit
a8020d8076
2 changed files with 77 additions and 0 deletions
|
@ -1,6 +1,10 @@
|
|||
include:
|
||||
- template: Security/SAST.gitlab-ci.yml
|
||||
|
||||
# Note: We set `needs` on each job to control the job DAG.
|
||||
# See https://docs.gitlab.com/ee/ci/yaml/#needs
|
||||
stages:
|
||||
- test
|
||||
- build
|
||||
|
||||
# https://blog.nimbleways.com/let-s-make-faster-gitlab-ci-cd-pipelines/
|
||||
|
@ -10,6 +14,8 @@ variables:
|
|||
# These can be specified per job or per pipeline
|
||||
ARTIFACT_COMPRESSION_LEVEL: "fast"
|
||||
CACHE_COMPRESSION_LEVEL: "fast"
|
||||
SAST_EXCLUDED_ANALYZERS: bandit,eslint
|
||||
SAST_EXCLUDED_PATHS: spec,test,tests,tmp,extern
|
||||
|
||||
.Ubuntu_Image:
|
||||
tags:
|
||||
|
|
71
.gitlab/sast-ruleset.toml
Normal file
71
.gitlab/sast-ruleset.toml
Normal file
|
@ -0,0 +1,71 @@
|
|||
[flawfinder]
|
||||
[[flawfinder.ruleset]]
|
||||
disable = true
|
||||
[flawfinder.ruleset.identifier]
|
||||
type = "flawfinder_func_name"
|
||||
value = "readlink" # openmw isn't a privileged process
|
||||
[[flawfinder.ruleset]]
|
||||
disable = true
|
||||
[flawfinder.ruleset.identifier]
|
||||
type = "flawfinder_func_name"
|
||||
value = "access" # openmw isn't a privileged process
|
||||
[[flawfinder.ruleset]]
|
||||
disable = true
|
||||
[flawfinder.ruleset.identifier]
|
||||
type = "flawfinder_func_name"
|
||||
value = "random" # duh.
|
||||
[[flawfinder.ruleset]]
|
||||
disable = true
|
||||
[flawfinder.ruleset.identifier]
|
||||
type = "flawfinder_func_name"
|
||||
value = "getenv" # duh.
|
||||
[[flawfinder.ruleset]]
|
||||
disable = true
|
||||
[flawfinder.ruleset.identifier]
|
||||
type = "flawfinder_func_name"
|
||||
value = "open" # openmw isn't a privileged process
|
||||
[[flawfinder.ruleset]]
|
||||
disable = true
|
||||
[flawfinder.ruleset.identifier]
|
||||
type = "flawfinder_func_name"
|
||||
value = "char" # too many false positives
|
||||
[[flawfinder.ruleset]]
|
||||
disable = true
|
||||
[flawfinder.ruleset.identifier]
|
||||
type = "flawfinder_func_name"
|
||||
value = "read" # too many false positives
|
||||
[[flawfinder.ruleset]]
|
||||
disable = true
|
||||
[flawfinder.ruleset.identifier]
|
||||
type = "flawfinder_func_name"
|
||||
value = "snprintf" # too many false positives
|
||||
[[flawfinder.ruleset]]
|
||||
disable = true
|
||||
[flawfinder.ruleset.identifier]
|
||||
type = "flawfinder_func_name"
|
||||
value = "strlen" # too many false positives
|
||||
[[flawfinder.ruleset]]
|
||||
disable = true
|
||||
[flawfinder.ruleset.identifier]
|
||||
type = "flawfinder_func_name"
|
||||
value = "mkstemp" # openmw doesn't run on old Unix systems
|
||||
[[flawfinder.ruleset]]
|
||||
disable = true
|
||||
[flawfinder.ruleset.identifier]
|
||||
type = "flawfinder_func_name"
|
||||
value = "fopen" # openmw isn't a privileged process
|
||||
[[flawfinder.ruleset]]
|
||||
disable = true
|
||||
[flawfinder.ruleset.identifier]
|
||||
type = "flawfinder_func_name"
|
||||
value = "equal" # only false positives, sigh
|
||||
[[flawfinder.ruleset]]
|
||||
disable = true
|
||||
[flawfinder.ruleset.identifier]
|
||||
type = "flawfinder_func_name"
|
||||
value = "_snprintf" # only false positives, sigh
|
||||
[[flawfinder.ruleset]]
|
||||
disable = true
|
||||
[flawfinder.ruleset.identifier]
|
||||
type = "flawfinder_func_name"
|
||||
value = "printf" # only false positives, sigh
|
Loading…
Reference in a new issue