Merge branch '220540-drop-ds-sast-dind' into 'master'

Drop DinD for SAST, DS See merge request gitlab-org/gitlab!41260

Merge branch '220540-drop-ds-sast-dind' into 'master'
Drop DinD for SAST, DS See merge request gitlab-org/gitlab!41260
1ed313c6 · Mayra Cabrera · 5bdbf365 · c4cff21e · 1ed313c6 · 1ed313c6
Commit 1ed313c6 authored Sep 04, 2020 by Mayra Cabrera
5 changed files
--- a/changelogs/unreleased/220540-drop-ds-sast-dind.yml
+++ b/changelogs/unreleased/220540-drop-ds-sast-dind.yml
+---
+title: Drop Docker-in-Docker mode for SAST and Dependency Scanning
+merge_request: 41260
+author:
+type: removed
--- a/ee/spec/lib/gitlab/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb
@@ -33,16 +33,6 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
        allow(License).to receive(:current).and_return(license)
      end

-      context 'when DS_DISABLE_DIND=false' do
-        before do
-          create(:ci_variable, project: project, key: 'DS_DISABLE_DIND', value: 'false')
-        end
-
-        it 'includes orchestrator job' do
-          expect(build_names).to match_array(%w[dependency_scanning])
-        end
-      end
-
      context 'when DEPENDENCY_SCANNING_DISABLED=1' do
        before do
          create(:ci_variable, project: project, key: 'DEPENDENCY_SCANNING_DISABLED', value: '1')

--- a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
@@ -73,23 +73,5 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
        end
      end
    end
-
-    context 'when project has Ultimate license' do
-      let(:license) { create(:license, plan: License::ULTIMATE_PLAN) }
-
-      before do
-        allow(License).to receive(:current).and_return(license)
-      end
-
-      context 'when SAST_DISABLE_DIND=false' do
-        before do
-          create(:ci_variable, project: project, key: 'SAST_DISABLE_DIND', value: 'false')
-        end
-
-        it 'includes orchestrator job' do
-          expect(build_names).to match_array(%w[sast])
-        end
-      end
-    end
  end
 end
--- a/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
@@ -12,81 +12,24 @@ variables:
  DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
  DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
  DS_MAJOR_VERSION: 2
-  DS_DISABLE_DIND: "true"

 dependency_scanning:
  stage: test
-  image: docker:stable
-  variables:
-    DOCKER_DRIVER: overlay2
-    DOCKER_TLS_CERTDIR: ""
-  allow_failure: true
-  services:
-    - docker:stable-dind
  script:
-    - |
-      if ! docker info &>/dev/null; then
-        if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
-          export DOCKER_HOST='tcp://localhost:2375'
-        fi
-      fi
-    - | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
-      function propagate_env_vars() {
-        CURRENT_ENV=$(printenv)
-
-        for VAR_NAME; do
-          echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
-        done
-      }
-    - |
-      docker run \
-        $(propagate_env_vars \
-          DS_ANALYZER_IMAGES \
-          SECURE_ANALYZERS_PREFIX \
-          DS_ANALYZER_IMAGE_TAG \
-          DS_DEFAULT_ANALYZERS \
-          DS_EXCLUDED_PATHS \
-          DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
-          DS_PULL_ANALYZER_IMAGE_TIMEOUT \
-          DS_RUN_ANALYZER_TIMEOUT \
-          DS_PYTHON_VERSION \
-          DS_PIP_VERSION \
-          DS_PIP_DEPENDENCY_PATH \
-          DS_JAVA_VERSION \
-          GEMNASIUM_DB_LOCAL_PATH \
-          GEMNASIUM_DB_REMOTE_URL \
-          GEMNASIUM_DB_REF_NAME \
-          PIP_INDEX_URL \
-          PIP_EXTRA_INDEX_URL \
-          PIP_REQUIREMENTS_FILE \
-          MAVEN_CLI_OPTS \
-          GRADLE_CLI_OPTS \
-          SBT_CLI_OPTS \
-          BUNDLER_AUDIT_UPDATE_DISABLED \
-          BUNDLER_AUDIT_ADVISORY_DB_URL \
-          BUNDLER_AUDIT_ADVISORY_DB_REF_NAME \
-          RETIREJS_JS_ADVISORY_DB \
-          RETIREJS_NODE_ADVISORY_DB \
-          DS_REMEDIATE \
-        ) \
-        --volume "$PWD:/code" \
-        --volume /var/run/docker.sock:/var/run/docker.sock \
-        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_MAJOR_VERSION" /code
+    - echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
+    - exit 1
  artifacts:
    reports:
      dependency_scanning: gl-dependency-scanning-report.json
  dependencies: []
  rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'true'
-      when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bdependency_scanning\b/
+    - when: never

 .ds-analyzer:
  extends: dependency_scanning
-  services: []
+  allow_failure: true
  rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
+    - if: $DEPENDENCY_SCANNING_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/
@@ -100,7 +43,7 @@ gemnasium-dependency_scanning:
  variables:
    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
  rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
+    - if: $DEPENDENCY_SCANNING_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
@@ -123,7 +66,7 @@ gemnasium-maven-dependency_scanning:
  variables:
    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
  rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
+    - if: $DEPENDENCY_SCANNING_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
@@ -141,7 +84,7 @@ gemnasium-python-dependency_scanning:
  variables:
    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
  rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
+    - if: $DEPENDENCY_SCANNING_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
@@ -166,7 +109,7 @@ bundler-audit-dependency_scanning:
  variables:
    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
  rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
+    - if: $DEPENDENCY_SCANNING_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
@@ -181,7 +124,7 @@ retire-js-dependency_scanning:
  variables:
    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
  rules:
-    - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
+    - if: $DEPENDENCY_SCANNING_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&

--- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
@@ -12,45 +12,26 @@ variables:
  SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, sobelow, pmd-apex, kubesec"
  SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
  SAST_ANALYZER_IMAGE_TAG: 2
-  SAST_DISABLE_DIND: "true"
  SCAN_KUBERNETES_MANIFESTS: "false"

 sast:
  stage: test
-  allow_failure: true
  artifacts:
    reports:
      sast: gl-sast-report.json
  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'true'
-      when: never
-    - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast\b/
-  image: docker:stable
+    - when: never
  variables:
    SEARCH_MAX_DEPTH: 4
-    DOCKER_DRIVER: overlay2
-    DOCKER_TLS_CERTDIR: ""
-  services:
-    - docker:stable-dind
  script:
-    - |
-      if ! docker info &>/dev/null; then
-        if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
-          export DOCKER_HOST='tcp://localhost:2375'
-        fi
-      fi
-    - |
-      docker run \
-        $(awk 'BEGIN{for(v in ENVIRON) print v}' | grep -v -E '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | awk '{printf " -e %s", $0}') \
-        --volume "$PWD:/code" \
-        --volume /var/run/docker.sock:/var/run/docker.sock \
-        "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_ANALYZER_IMAGE_TAG" /app/bin/run /code
+    - echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
+    - exit 1

 .sast-analyzer:
  extends: sast
-  services: []
+  allow_failure: true
  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH
  script:
@@ -63,7 +44,7 @@ bandit-sast:
  variables:
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /bandit/
@@ -77,7 +58,7 @@ brakeman-sast:
  variables:
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /brakeman/
@@ -91,7 +72,7 @@ eslint-sast:
  variables:
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /eslint/
@@ -109,7 +90,7 @@ flawfinder-sast:
  variables:
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /flawfinder/
@@ -124,7 +105,7 @@ kubesec-sast:
  variables:
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /kubesec/ &&
@@ -137,7 +118,7 @@ gosec-sast:
  variables:
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /gosec/
@@ -151,7 +132,7 @@ nodejs-scan-sast:
  variables:
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
@@ -165,7 +146,7 @@ phpcs-security-audit-sast:
  variables:
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/
@@ -179,7 +160,7 @@ pmd-apex-sast:
  variables:
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /pmd-apex/
@@ -193,7 +174,7 @@ security-code-scan-sast:
  variables:
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /security-code-scan/
@@ -208,7 +189,7 @@ sobelow-sast:
  variables:
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /sobelow/
@@ -222,7 +203,7 @@ spotbugs-sast:
  variables:
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
  rules:
-    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /spotbugs/