Enhance sast-rule python/xml/rule-expatreader.yml
According to gitlab-org/gitlab#434275 (closed), this commit improves the detection of a series of features in the XML parsing package. The scope of detection has been expanded according to https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b313-b320-xml, which goes beyond the functionality described in the issue, but captures the essence of the existing rule.
Merge request reports
Activity
requested review from @jdsalaro, @mhenriksen, @idawson, and @dbolkensteyn
assigned to @vrizny-ext
added 1st contribution Community contribution labels
added linked-issue label
added groupvulnerability research label
mentioned in issue gitlab-org/quality/triage-reports#15926 (closed)
added devopsapplication security testing sectionsec labels
mentioned in issue gitlab-org/quality/triage-reports#15927 (closed)
added typemaintenance label
@vrizny-ext as a reminder we try to add to our real world apps before creating rules. This allows us to confirm that the code is actually valid and vulnerable before we bother making updates to the sast rules.
mentioned in issue gitlab-org/quality/triage-reports#15989 (closed)
mentioned in issue gitlab-org/quality/triage-reports#16163 (closed)
added Contractor Contribution label and removed Community contribution label
removed review request for @idawson
added workflowin dev label
removed review request for @mhenriksen and @dbolkensteyn
@dbolkensteyn @mhenriksen @idawson , unassigned you from this one as I am the DRI for this one and the multiple assignments stem from the time external contributors were assigning each MR to everyone for review.
This is done in order to even the load using Reviewer Roulette, background in gitlab-org/gitlab#439694 (comment 1781640636)
@vrizny-ext , whenever you merge
main
into the feature branch for your rule,danger-bot
should comment with a reviewer and a maintainer to go over your MR. If this doesn't happen, feel free to force the reviewer and maintainer selection by labelling thesast-rules
MR Danger botEdited by Jayson Salazar Rodriguez