Move remaining secure analyzers to core

Why: * https://gitlab.com/groups/gitlab-org/-/epics/2098 This change addresses the need by: * Remove required check for sast feature in CI template * Remove required check for secret feature in CI template * Document when analyzers were moved to core

Move remaining secure analyzers to core
Why: * https://gitlab.com/groups/gitlab-org/-/epics/2098 This change addresses the need by: * Remove required check for sast feature in CI template * Remove required check for secret feature in CI template * Document when analyzers were moved to core
08c7b06b · Daniel Paul Searles · 20c10042 · 08c7b06b · 08c7b06b · 08c7b06b
Commit 08c7b06b authored Jul 22, 2020 by Daniel Paul Searles
7 changed files
--- a/changelogs/unreleased/sa-to-core.yml
+++ b/changelogs/unreleased/sa-to-core.yml
+---
+title: Bring SAST to Core - bandit, Flawfinder, Gitleaks, Gosec, Kubesec, NodeJsScan, phpcs-security-audit, PMD, Security Code Scan, Sobelow, SpotBugs
+merge_request: 37648
+author:
+type: changed
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -71,25 +71,25 @@ The following table shows which languages, package managers and frameworks are s
 | Language (package managers) / framework                                     | Scan tool                                                                              | Introduced in GitLab Version |
 |-----------------------------------------------------------------------------|----------------------------------------------------------------------------------------|------------------------------|
-| .NET Core                                                                   | [Security Code Scan](https://security-code-scan.github.io)                             | 11.0                             |
+| .NET Core                                                                   | [Security Code Scan](https://security-code-scan.github.io)                             | 11.0, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| .NET Framework                                                              | [Security Code Scan](https://security-code-scan.github.io)                             | 13.0                             |
+| .NET Framework                                                              | [Security Code Scan](https://security-code-scan.github.io)                             | 13.0, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| Any                                                                         | [Gitleaks](https://github.com/zricethezav/gitleaks) and [TruffleHog](https://github.com/dxa4481/truffleHog) | 11.9        |
+| Any                                                                         | [Gitleaks](https://github.com/zricethezav/gitleaks) and [TruffleHog](https://github.com/dxa4481/truffleHog) | 11., [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| Apex (Salesforce)                                                           | [PMD](https://pmd.github.io/pmd/index.html)                                            | 12.1                             |
+| Apex (Salesforce)                                                           | [PMD](https://pmd.github.io/pmd/index.html)                                            | 12.1, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| C/C++                                                                       | [Flawfinder](https://github.com/david-a-wheeler/flawfinder)                            | 10.7                             |
+| C/C++                                                                       | [Flawfinder](https://github.com/david-a-wheeler/flawfinder)                            | 10.7, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| Elixir (Phoenix)                                                            | [Sobelow](https://github.com/nccgroup/sobelow)                                         | 11.10                            |
+| Elixir (Phoenix)                                                            | [Sobelow](https://github.com/nccgroup/sobelow)                                         | 11.10, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| Go                                                                          | [Gosec](https://github.com/securego/gosec)                                             | 10.7                             |
+| Go                                                                          | [Gosec](https://github.com/securego/gosec)                                             | 10.7, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| Groovy ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/) and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the     [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.3 (Gradle) & 11.9 (Ant, Maven, SBT) |
+| Groovy ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/) and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the     [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.3 (Gradle) & 11.9 (Ant, Maven, SBT), [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| Helm Charts                                                                 | [Kubesec](https://github.com/controlplaneio/kubesec)                                   | 13.1                             |
+| Helm Charts                                                                 | [Kubesec](https://github.com/controlplaneio/kubesec)                                   | 13.1, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| Java ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/) and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 10.6 (Maven), 10.8 (Gradle) & 11.9 (Ant, SBT) |
+| Java ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/) and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 10.6 (Maven), 10.8 (Gradle) & 11.9 (Ant, SBT), [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| JavaScript                                                                  | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security)       | 11.8, moved to [GitLab Core](https://about.gitlab.com/pricing/) in 13.2  |
+| JavaScript                                                                  | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security)       | 11.8, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.2 |
-| Kubernetes manifests                                                        | [Kubesec](https://github.com/controlplaneio/kubesec)                                   | 12.6                         |
+| Kubernetes manifests                                                        | [Kubesec](https://github.com/controlplaneio/kubesec)                                   | 12.6, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| Node.js                                                                     | [NodeJsScan](https://github.com/ajinabraham/NodeJsScan)                                | 11.1                         |
+| Node.js                                                                     | [NodeJsScan](https://github.com/ajinabraham/NodeJsScan)                                | 11.1, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| PHP                                                                         | [phpcs-security-audit](https://github.com/FloeDesignTechnologies/phpcs-security-audit) | 10.8                         |
+| PHP                                                                         | [phpcs-security-audit](https://github.com/FloeDesignTechnologies/phpcs-security-audit) | 10.8, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| Python ([pip](https://pip.pypa.io/en/stable/))                              | [bandit](https://github.com/PyCQA/bandit)                                              | 10.3                         |
+| Python ([pip](https://pip.pypa.io/en/stable/))                              | [bandit](https://github.com/PyCQA/bandit)                                              | 10.3, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| React                                                                       | [ESLint react plugin](https://github.com/yannickcr/eslint-plugin-react)                | 12.5                         |
+| React                                                                       | [ESLint react plugin](https://github.com/yannickcr/eslint-plugin-react)                | 12.5, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.2 |
-| Ruby on Rails                                                               | [brakeman](https://brakemanscanner.org)                                                | 10.3, moved to [GitLab Core](https://about.gitlab.com/pricing/) in 13.1  |
+| Ruby on Rails                                                               | [brakeman](https://brakemanscanner.org)                                                | 10.3, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.1 |
-| Scala ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/) and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.0 (SBT) & 11.9 (Ant, Gradle, Maven) |
+| Scala ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/) and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.0 (SBT) & 11.9 (Ant, Gradle, Maven), [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
-| TypeScript                                                                  | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security)       | 11.9, merged with ESLint in 13.2 |
+| TypeScript                                                                  | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security)       | 11.9, [merged](https://gitlab.com/gitlab-org/gitlab/-/issues/36059) with ESLint in 13.2 |
 NOTE: **Note:**
 The Java analyzers can also be used for variants like the
@@ -98,7 +98,7 @@ The Java analyzers can also be used for variants like the
 ### Making SAST analyzers available to all GitLab tiers
-All open source (OSS) analyzers are in the process of being reviewed and potentially moved to the GitLab Core tier. Progress can be
+All open source (OSS) analyzers have been moved to the GitLab Core tier. Progress can be
 tracked in the corresponding
 [epic](https://gitlab.com/groups/gitlab-org/-/epics/2098).

--- a/doc/user/application_security/secret_detection/index.md
+++ b/doc/user/application_security/secret_detection/index.md
@@ -19,7 +19,7 @@ malicious users to gain access to resources like deployment environments.
 GitLab 11.9 includes a new check called Secret Detection. It scans the content of the repository
 to find API keys and other information that should not be there.
-GitLab displays identified secrets as part of the SAST reports visibly in a few places:
+GitLab displays identified secrets visibly in a few places:
 - [Security Dashboard](../security_dashboard/)
 - Pipelines' **Security** tab
@@ -46,6 +46,25 @@ CAUTION: **Caution:**
 If you use your own Runners, make sure the Docker version installed
 is **not** `19.03.0`. See [troubleshooting information](../sast#error-response-from-daemon-error-processing-tar-file-docker-tar-relocation-error) for details.
+### Making Secret Detection available to all GitLab tiers
+To make Secret Detection available to as many customers as possible, we have enabled it for all GitLab tiers.
+However not all features are available on every tier. See the breakdown below for more details.
+#### Summary of features per tier
+Different features are available in different [GitLab tiers](https://about.gitlab.com/pricing/),
+as shown in the following table:
+| Capability                                                                | In Core             | In Ultimate        |
+|:--------------------------------------------------------------------------|:--------------------|:-------------------|
+| [Configure Secret Detection Scanners](#configuration)                                 | **{check-circle}**  | **{check-circle}** |
+| [Customize Secret Detection Settings](#customizing-settings)                 | **{check-circle}**  | **{check-circle}** |
+| View [JSON Report](../sast/index.md#reports-json-format)                                  | **{check-circle}**  | **{check-circle}** |
+| [Presentation of JSON Report in Merge Request](#overview)                 | **{dotted-circle}** | **{check-circle}** |
+| [Interaction with Vulnerabilities](../vulnerabilities/index.md) | **{dotted-circle}** | **{check-circle}** |
+| [Access to Security Dashboard](../security_dashboard/index.md)                       | **{dotted-circle}** | **{check-circle}** |
 ## Configuration
 NOTE: **Note:**

--- a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
@@ -21,28 +21,6 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
    end
    context 'when project has no license' do
-      it 'includes no jobs' do
-        expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
-      end
-    end
-    context 'when project has Ultimate license' do
-      let(:license) { create(:license, plan: License::ULTIMATE_PLAN) }
-      before do
-        allow(License).to receive(:current).and_return(license)
-      end
-      context 'when SAST_DISABLE_DIND=false' do
-        before do
-          create(:ci_variable, project: project, key: 'SAST_DISABLE_DIND', value: 'false')
-        end
-        it 'includes orchestrator job' do
-          expect(build_names).to match_array(%w[sast])
-        end
-      end
      context 'when SAST_DISABLED=1' do
        before do
          create(:ci_variable, project: project, key: 'SAST_DISABLED', value: '1')
@@ -96,5 +74,23 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
        end
      end
    end
+    context 'when project has Ultimate license' do
+      let(:license) { create(:license, plan: License::ULTIMATE_PLAN) }
+      before do
+        allow(License).to receive(:current).and_return(license)
+      end
+      context 'when SAST_DISABLE_DIND=false' do
+        before do
+          create(:ci_variable, project: project, key: 'SAST_DISABLE_DIND', value: 'false')
+        end
+        it 'includes orchestrator job' do
+          expect(build_names).to match_array(%w[sast])
+        end
+      end
+    end
  end
 end
--- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
@@ -52,8 +52,7 @@ sast:
  rules:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
-    - if: $CI_COMMIT_BRANCH &&
+    - if: $CI_COMMIT_BRANCH
-          $GITLAB_FEATURES =~ /\bsast\b/
  script:
    - /analyzer run
@@ -65,7 +64,6 @@ bandit-sast:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /bandit/
      exists:
        - '**/*.py'
@@ -106,7 +104,6 @@ flawfinder-sast:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /flawfinder/
      exists:
        - '**/*.c'
@@ -120,7 +117,6 @@ kubesec-sast:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /kubesec/ &&
          $SCAN_KUBERNETES_MANIFESTS == 'true'
@@ -132,7 +128,6 @@ gosec-sast:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /gosec/
      exists:
        - '**/*.go'
@@ -145,7 +140,6 @@ nodejs-scan-sast:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
      exists:
        - 'package.json'
@@ -158,7 +152,6 @@ phpcs-security-audit-sast:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/
      exists:
        - '**/*.php'
@@ -171,7 +164,6 @@ pmd-apex-sast:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /pmd-apex/
      exists:
        - '**/*.cls'
@@ -184,7 +176,6 @@ secrets-sast:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /secrets/
 security-code-scan-sast:
@@ -195,7 +186,6 @@ security-code-scan-sast:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /security-code-scan/
      exists:
        - '**/*.csproj'
@@ -209,7 +199,6 @@ sobelow-sast:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /sobelow/
      exists:
        - 'mix.exs'
@@ -222,7 +211,6 @@ spotbugs-sast:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /spotbugs/
      exists:
        - '**/*.groovy'

--- a/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml
@@ -21,8 +21,7 @@ secret_detection_default_branch:
  rules:
    - if: $SECRET_DETECTION_DISABLED
      when: never
-    - if: $CI_DEFAULT_BRANCH == $CI_COMMIT_BRANCH &&
+    - if: $CI_DEFAULT_BRANCH == $CI_COMMIT_BRANCH
-          $GITLAB_FEATURES =~ /\bsecret_detection\b/
  script:
    - /analyzer run
@@ -31,8 +30,7 @@ secret_detection:
  rules:
    - if: $SECRET_DETECTION_DISABLED
      when: never
-    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH &&
+    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
-          $GITLAB_FEATURES =~ /\bsecret_detection\b/
  script:
    - git fetch origin $CI_DEFAULT_BRANCH $CI_BUILD_REF_NAME
    - export SECRET_DETECTION_COMMIT_TO=$(git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_BUILD_REF_NAME | tail -n 1)

--- a/spec/services/ci/create_pipeline_service_spec.rb
+++ b/spec/services/ci/create_pipeline_service_spec.rb
@@ -512,7 +512,7 @@ RSpec.describe Ci::CreatePipelineService do
        it 'pull it from Auto-DevOps' do
          pipeline = execute_service
          expect(pipeline).to be_auto_devops_source
-          expect(pipeline.builds.map(&:name)).to match_array(%w[build code_quality eslint-sast test])
+          expect(pipeline.builds.map(&:name)).to match_array(%w[build code_quality eslint-sast secret_detection_default_branch secrets-sast test])
        end
      end