Add Example to SAST Rule Set Overrides

Add additional information on Overriding predefined rules of SAST analyzers. This makes it easier to verify which rule is being overwritten.

Add Example to SAST Rule Set Overrides
Add additional information on Overriding predefined rules of SAST analyzers. This makes it easier to verify which rule is being overwritten.
6c8e46f9 · Fern · Russell Dickenson · fdef60bb · 6c8e46f9
Commit 6c8e46f9 authored Mar 11, 2022 by Fern Committed by Russell Dickenson Mar 11, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 15 deletions

doc/user/application_security/sast/index.md doc/user/application_security/sast/index.md +27 -15

No files found.
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -315,7 +315,6 @@ To disable analyzer rules:
 1. In one or more `ruleset.identifier` sub sections, list the rules that you want disabled. Every `ruleset.identifier` section has:

 - a `type` field, to name the predefined rule identifier that the targeted analyzer uses.
-
 - a `value` field, to name the rule to be disabled.

 ##### Example: Disable predefined rules of SAST analyzers
@@ -345,6 +344,9 @@ and `sobelow` by matching the `type` and `value` of identifiers:
      value = "sql_injection"
 ```

+Those vulnerabilities containing the provided type and value are now disabled, meaning
+they won't be displayed in Merge Request nor the Vulnerability Report.
+
 #### Override predefined analyzer rules

 To override analyzer rules:
@@ -365,30 +367,40 @@ To override analyzer rules:

 ##### Example: Override predefined rules of SAST analyzers

-In the following example, rules from `eslint`
-and `gosec` are matched by the `type` and `value` of identifiers and
-then overridden:
+Before adding a ruleset, we verify which vulnerability will be overwritten by viewing the [`gl-sast-report.json`](#reports-json-format):
+
+```json
+"identifiers": [
+        {
+          "type": "gosec_rule_id",
+          "name": "Gosec Rule ID G307",
+          "value": "G307"
+        },
+        {
+          "type": "CWE",
+          "name": "CWE-703",
+          "value": "703",
+          "url": "https://cwe.mitre.org/data/definitions/703.html"
+        }
+      ]
+```
+
+In the following example, rules from `gosec` are matched by the `type`
+and `value` of identifiers and then overridden:

 ```toml
-[eslint]
-  [[eslint.ruleset]]
-    [eslint.ruleset.identifier]
-      type = "eslint_rule_id"
-      value = "security/detect-object-injection"
-    [eslint.ruleset.override]
-      description = "OVERRIDDEN description"
-      message = "OVERRIDDEN message"
-      name = "OVERRIDDEN name"
-      severity = "Critical"
 [gosec]
  [[gosec.ruleset]]
    [gosec.ruleset.identifier]
        type = "CWE"
-        value = "CWE-79"
+        value = "703"
    [gosec.ruleset.override]
      severity = "Critical"
 ```

+If a vulnerability is found with a type `CWE` with a value of `703` then
+the vulnerability severity is overwritten to `Critical`. 
+
 #### Synthesize a custom configuration

 To create a custom configuration, you can use passthrough chains.