Refine SAST analyzer language detection by frameworks

Certain SAST scanners rely on frameworks, not just languages so we should aim for properly detecting those when possible

Refine SAST analyzer language detection by frameworks
Certain SAST scanners rely on frameworks, not just languages so we should aim for properly detecting those when possible
5bfb234e · Lucas Charles · 77612ded · 5bfb234e · 5bfb234e · 5bfb234e
Commit 5bfb234e authored May 27, 2020 by Lucas Charles
3 changed files
--- a/changelogs/unreleased/218414-refine-sast-analyzer-language-detection.yml
+++ b/changelogs/unreleased/218414-refine-sast-analyzer-language-detection.yml
+---
+title: Refine SAST language detection by frameworks
+merge_request: 33226
+author:
+type: changed
--- a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
@@ -63,17 +63,18 @@ describe 'SAST.gitlab-ci.yml' do
            'C'                    | { 'app.c' => '' }                    | {}                                        | %w(flawfinder-sast secrets-sast)
            'C++'                  | { 'app.cpp' => '' }                  | {}                                        | %w(flawfinder-sast secrets-sast)
            'C#'                   | { 'app.csproj' => '' }               | {}                                        | %w(security-code-scan-sast secrets-sast)
-            'Elixir'               | { 'mix.ex' => '' }                   | {}                                        | %w(sobelow-sast secrets-sast)
+            'Elixir'               | { 'mix.exs' => '' }                  | {}                                        | %w(sobelow-sast secrets-sast)
            'Golang'               | { 'main.go' => '' }                  | {}                                        | %w(gosec-sast secrets-sast)
            'Groovy'               | { 'app.groovy' => '' }               | {}                                        | %w(spotbugs-sast secrets-sast)
            'Java'                 | { 'app.java' => '' }                 | {}                                        | %w(spotbugs-sast secrets-sast)
-            'Javascript'           | { 'app.js' => '' }                   | {}                                        | %w(eslint-sast nodejs-scan-sast secrets-sast)
+            'Javascript'           | { 'app.js' => '' }                   | {}                                        | %w(eslint-sast secrets-sast)
+            'Javascript Node'      | { 'package.json' => '' }             | {}                                        | %w(nodejs-scan-sast secrets-sast)
            'HTML'                 | { 'index.html' => '' }               | {}                                        | %w(eslint-sast secrets-sast)
            'Kubernetes Manifests' | { 'Chart.yaml' => '' }               | { 'SCAN_KUBERNETES_MANIFESTS' => 'true' } | %w(kubesec-sast secrets-sast)
-            'Multiple languages'   | { 'app.java' => '', 'app.js' => '' } | {}                                        | %w(eslint-sast nodejs-scan-sast spotbugs-sast secrets-sast)
+            'Multiple languages'   | { 'app.java' => '', 'app.js' => '' } | {}                                        | %w(eslint-sast spotbugs-sast secrets-sast)
            'PHP'                  | { 'app.php' => '' }                  | {}                                        | %w(phpcs-security-audit-sast secrets-sast)
            'Python'               | { 'app.py' => '' }                   | {}                                        | %w(bandit-sast secrets-sast)
-            'Ruby'                 | { 'application.rb' => '' }           | {}                                        | %w(brakeman-sast secrets-sast)
+            'Ruby'                 | { 'config/routes.rb' => '' }         | {}                                        | %w(brakeman-sast secrets-sast)
            'Scala'                | { 'app.scala' => '' }                | {}                                        | %w(spotbugs-sast secrets-sast)
            'Typescript'           | { 'app.ts' => '' }                   | {}                                        | %w(tslint-sast secrets-sast)
            'Visual Basic'         | { 'app.vbproj' => '' }               | {}                                        | %w(security-code-scan-sast secrets-sast)

--- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
@@ -83,7 +83,7 @@ brakeman-sast:
          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /brakeman/
      exists:
-        - '**/*.rb'
+        - 'config/routes.rb'
 eslint-sast:
  extends: .sast-analyzer
@@ -149,7 +149,7 @@ nodejs-scan-sast:
          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
      exists:
-        - '**/*.js'
+        - 'package.json'
 phpcs-security-audit-sast:
  extends: .sast-analyzer
@@ -213,8 +213,7 @@ sobelow-sast:
          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /sobelow/
      exists:
-        - '**/*.ex'
+        - 'mix.exs'
-        - '**/*.exs'
 spotbugs-sast:
  extends: .sast-analyzer