Merge branch 'fern-sast-override' into 'master'

Add Example to SAST Rule Set Overrides See merge request gitlab-org/gitlab!82439

Merge branch 'fern-sast-override' into 'master'
Add Example to SAST Rule Set Overrides See merge request gitlab-org/gitlab!82439
b5f62689 · Russell Dickenson · fdef60bb · 6c8e46f9 · b5f62689
Commit b5f62689 authored Mar 11, 2022 by Russell Dickenson
Show whitespace changes
Inline Side-by-side

Showing with 27 additions and 15 deletions

doc/user/application_security/sast/index.md doc/user/application_security/sast/index.md +27 -15

No files found.
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -315,7 +315,6 @@ To disable analyzer rules:
 1. In one or more `ruleset.identifier` sub sections, list the rules that you want disabled. Every `ruleset.identifier` section has:

 - a `type` field, to name the predefined rule identifier that the targeted analyzer uses.
-
 - a `value` field, to name the rule to be disabled.

 ##### Example: Disable predefined rules of SAST analyzers
@@ -345,6 +344,9 @@ and `sobelow` by matching the `type` and `value` of identifiers:
      value = "sql_injection"
 ```

+Those vulnerabilities containing the provided type and value are now disabled, meaning
+they won't be displayed in Merge Request nor the Vulnerability Report.
+
 #### Override predefined analyzer rules

 To override analyzer rules:
@@ -365,30 +367,40 @@ To override analyzer rules:

 ##### Example: Override predefined rules of SAST analyzers

-In the following example, rules from `eslint`
-and `gosec` are matched by the `type` and `value` of identifiers and
-then overridden:
+Before adding a ruleset, we verify which vulnerability will be overwritten by viewing the [`gl-sast-report.json`](#reports-json-format):
+
+```json
+"identifiers": [
+        {
+          "type": "gosec_rule_id",
+          "name": "Gosec Rule ID G307",
+          "value": "G307"
+        },
+        {
+          "type": "CWE",
+          "name": "CWE-703",
+          "value": "703",
+          "url": "https://cwe.mitre.org/data/definitions/703.html"
+        }
+      ]
+```
+
+In the following example, rules from `gosec` are matched by the `type`
+and `value` of identifiers and then overridden:

 ```toml
-[eslint]
-  [[eslint.ruleset]]
-    [eslint.ruleset.identifier]
-      type = "eslint_rule_id"
-      value = "security/detect-object-injection"
-    [eslint.ruleset.override]
-      description = "OVERRIDDEN description"
-      message = "OVERRIDDEN message"
-      name = "OVERRIDDEN name"
-      severity = "Critical"
 [gosec]
  [[gosec.ruleset]]
    [gosec.ruleset.identifier]
        type = "CWE"
-        value = "CWE-79"
+        value = "703"
    [gosec.ruleset.override]
      severity = "Critical"
 ```

+If a vulnerability is found with a type `CWE` with a value of `703` then
+the vulnerability severity is overwritten to `Critical`. 
+
 #### Synthesize a custom configuration

 To create a custom configuration, you can use passthrough chains.