We’ve now brought this new vulnerability tracking system to our GoSec (Go) analyzer, Semgrep (JavaScript, TypeScript, React, and Python), and Brakeman (Ruby and Ruby on Rails) analyzers. This new tracking improves the accuracy of identifying the same vulnerability that has moved locations due to code refactoring. We’ve developed a new vulnerability tracking algorithm that is more advanced and looks at the signature of a vulnerability rather than just its location. This reality makes it hard to discern findings that are truly new, especially in the context of a merge request. Over time we lose the ability to track the movement of a finding as lines are added to, or removed from the file above the finding in question. SAST and Secret Detection findings currently use location within a file to declare where they exist within a codebase. Our current fingerprinting of findings is too coarse and results in a lot of duplicated findings over time as code is moved around. Refactoring, additions to the code base, removals, will all happen. Over the course of a project’s life cycle, code is moved around.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |