Gitlab CI/CD および Security/SAST.gitlab-ci.yml で明らかな脆弱性が見つからない問題

• 目標に関する詳細を含める

脆弱なコード部分に対して Gitlab Ci Cd Semgrep 分析を実行し、結果の json の脆弱性を確認します。

• いくつかのコードを表示します。

    protected String injectableQuery(String accountName) {
        try (Connection connection = dataSource.getConnection()) {
            String query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
            try (Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
                ResultSet results = statement.executeQuery(query);
                return results.getCursorName() + getRandomKey(results.getCursorName(), 42);
            } catch (SQLException sqle) {
                return "very bad";
            }
        } catch (Exception e) {
            return "bad";
        }
    }

    private static Key getRandomKey(String cipher, int keySize) {
        byte[] randomKeyBytes = new byte[keySize / 8];
        Random random = new Random();
        random.nextBytes(randomKeyBytes);
        return new SecretKeySpec(randomKeyBytes, cipher);
    }

このダミーコードには 2 つの重大な脆弱性があります。

1 -String query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";SQL インジェクションのフラグを立てる必要があります

2 - Random random = new Random();これはまったく安全ではないため、断片を立てる必要があります。

• 私が試したことを説明してください:

公式 Gitlab チュートリアルに従い、この gitlab ci yml を思いつきました。

# You can override the included template(s) by including variable overrides
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
stages:
- test

include:
- template: Security/SAST.gitlab-ci.yml


sast:
  stage: test
  artifacts:
    paths: [ "gl-sast-report.json" ]
    reports:
      sast: gl-sast-report.json

ジョブは緑色で、ログの部分は次のとおりです。

Executing "step_script" stage of the job script
00:09
Using docker image sha256:4413a95f36c35287e4ec54fff96c6fb455ad86fef9c2ca5da983675fdc919964 for registry.gitlab.com/security-products/semgrep:4 with digest registry.gitlab.com/security-products/semgrep@sha256:0f7f19c60a36aa26283fc6c4eca3f6c3d4623f94bdf90e2e99dd1801aa96a49c ...
$ /analyzer run
[INFO] [Semgrep] [2024-04-08T00:59:22Z] ▶ GitLab Semgrep analyzer v4.13.3
[INFO] [Semgrep] [2024-04-08T00:59:22Z] ▶ Detecting project
[INFO] [Semgrep] [2024-04-08T00:59:22Z] ▶ Analyzer will attempt to analyze all projects in the repository
[INFO] [Semgrep] [2024-04-08T00:59:22Z] ▶ Running analyzer
[WARN] [Semgrep] [2024-04-08T00:59:22Z] ▶ /builds/demovulnerabilities/.gitlab/sast-ruleset.toml not found, ruleset support will be disabled.
[INFO] [Semgrep] [2024-04-08T00:59:31Z] ▶ Creating report
[WARN] [Semgrep] [2024-04-08T00:59:31Z] ▶ .gitlab/sast-ruleset.toml not found, ruleset support will be disabled.
Uploading artifacts for successful job
00:01
Uploading artifacts...
gl-sast-report.json: found 1 matching artifact files and directories 
Uploading artifacts as "sast" to coordinator... 201 Created  id=88269421 responseStatus=201 Created token=glcbt-64
Cleaning up project directory and file based variables
00:00
Job succeeded

• 期待される結果について説明します:

gl-sast-report.json レポートに 2 つの脆弱性が記載されることを期待しています。

• 実際の結果を説明します:

残念ながら、レポートは次のように空として表示されます。

{
    "version": "15.0.7",
    "vulnerabilities": [],
    "dependency_files": [],
    "scan": {
        "analyzer": {
            "id": "semgrep",
            "name": "Semgrep",
            "url": "https://gitlab.com/gitlab-org/security-products/analyzers/semgrep",
            "vendor": {
                "name": "GitLab"
            },
            "version": "4.13.3"
        },
        "scanner": {
            "id": "semgrep",
            "name": "Semgrep",
            "url": "https://github.com/returntocorp/semgrep",
            "vendor": {
                "name": "GitLab"
            },
            "version": "1.64.0"
        },
        "type": "sast",
        "start_time": "2024-04-08T02:27:43",
        "end_time": "2024-04-08T02:27:50",
        "status": "success"
    }
}

• 質問：

私は無料枠の Gitlab を利用していますが、Gitlab 内のビジュアル セキュリティタブやセキュリティレポートにアクセスできないことを理解しています。

しかし、最も結果の gl-sast-report.json に脆弱性があることを期待していました。

この理解は間違っていますか?

レポート gl-sast-report.json の脆弱性を確認するにはどうすればよいですか?