Use full template names in on demand scans

Not using full template names for on demand scans causes problems with template inclusion tracking.

Use full template names in on demand scans
Not using full template names for on demand scans causes problems with template inclusion tracking.
7926b9de · Matija Čupić · e9122bfd · 7926b9de · 7926b9de · 7926b9de
Commit 7926b9de authored Sep 01, 2021 by Matija Čupić
10 changed files
--- a/config/metrics/counts_28d/20210216184559_ci_templates_total_unique_counts_monthly.yml
+++ b/config/metrics/counts_28d/20210216184559_ci_templates_total_unique_counts_monthly.yml
@@ -15,20 +15,148 @@ instrumentation_class: RedisHLLMetric
 options:
  events:
  - p_ci_templates_implicit_auto_devops
-  - p_ci_templates_implicit_auto_devops_build
-  - p_ci_templates_implicit_auto_devops_deploy
-  - p_ci_templates_implicit_security_sast
-  - p_ci_templates_implicit_security_secret_detection
  - p_ci_templates_5_min_production_app
-  - p_ci_templates_auto_devops
  - p_ci_templates_aws_cf_deploy_ec2
-  - p_ci_templates_aws_deploy_ecs
  - p_ci_templates_auto_devops_build
  - p_ci_templates_auto_devops_deploy
  - p_ci_templates_auto_devops_deploy_latest
+  - p_ci_templates_terraform_base_latest
+  - p_ci_templates_terraform_base
+  - p_ci_templates_dotnet
+  - p_ci_templates_nodejs
+  - p_ci_templates_openshift
+  - p_ci_templates_auto_devops
+  - p_ci_templates_bash
+  - p_ci_templates_rust
+  - p_ci_templates_elixir
+  - p_ci_templates_clojure
+  - p_ci_templates_crystal
+  - p_ci_templates_getting_started
+  - p_ci_templates_code_quality
+  - p_ci_templates_verify_load_performance_testing
+  - p_ci_templates_verify_accessibility
+  - p_ci_templates_verify_failfast
+  - p_ci_templates_verify_browser_performance
+  - p_ci_templates_verify_browser_performance_latest
+  - p_ci_templates_grails
  - p_ci_templates_security_sast
+  - p_ci_templates_security_dast_runner_validation
+  - p_ci_templates_security_dast_on_demand_scan
  - p_ci_templates_security_secret_detection
-  - p_ci_templates_terraform_base_latest
+  - p_ci_templates_security_license_scanning
+  - p_ci_templates_security_coverage_fuzzing
+  - p_ci_templates_security_api_fuzzing_latest
+  - p_ci_templates_security_secure_binaries
+  - p_ci_templates_security_dast_api
+  - p_ci_templates_security_container_scanning
+  - p_ci_templates_security_dast_latest
+  - p_ci_templates_security_dependency_scanning
+  - p_ci_templates_security_api_fuzzing
+  - p_ci_templates_security_dast
+  - p_ci_templates_security_cluster_image_scanning
+  - p_ci_templates_ios_fastlane
+  - p_ci_templates_composer
+  - p_ci_templates_c
+  - p_ci_templates_python
+  - p_ci_templates_android_fastlane
+  - p_ci_templates_django
+  - p_ci_templates_maven
+  - p_ci_templates_flutter
+  - p_ci_templates_workflows_branch_pipelines
+  - p_ci_templates_workflows_mergerequest_pipelines
+  - p_ci_templates_laravel
+  - p_ci_templates_managed_cluster_applications
+  - p_ci_templates_php
+  - p_ci_templates_packer
+  - p_ci_templates_terraform
+  - p_ci_templates_mono
+  - p_ci_templates_serverless
+  - p_ci_templates_go
+  - p_ci_templates_scala
+  - p_ci_templates_latex
+  - p_ci_templates_android
+  - p_ci_templates_indeni_cloudrail
+  - p_ci_templates_deploy_ecs
+  - p_ci_templates_aws_cf_provision_and_deploy_ec2
+  - p_ci_templates_aws_deploy_ecs
+  - p_ci_templates_gradle
+  - p_ci_templates_chef
+  - p_ci_templates_jobs_dast_default_branch_deploy
+  - p_ci_templates_jobs_load_performance_testing
+  - p_ci_templates_jobs_helm_2to3
+  - p_ci_templates_jobs_sast
+  - p_ci_templates_jobs_secret_detection
+  - p_ci_templates_jobs_code_intelligence
+  - p_ci_templates_jobs_code_quality
+  - p_ci_templates_jobs_deploy_ecs
+  - p_ci_templates_jobs_deploy_ec2
+  - p_ci_templates_jobs_deploy
+  - p_ci_templates_jobs_build
+  - p_ci_templates_jobs_browser_performance_testing
+  - p_ci_templates_jobs_test
+  - p_ci_templates_jobs_deploy_latest
+  - p_ci_templates_jobs_browser_performance_testing_latest
+  - p_ci_templates_jobs_cf_provision
+  - p_ci_templates_jobs_build_latest
+  - p_ci_templates_terraform_latest
+  - p_ci_templates_swift
+  - p_ci_templates_pages_jekyll
+  - p_ci_templates_pages_harp
+  - p_ci_templates_pages_octopress
+  - p_ci_templates_pages_brunch
+  - p_ci_templates_pages_doxygen
+  - p_ci_templates_pages_hyde
+  - p_ci_templates_pages_lektor
+  - p_ci_templates_pages_jbake
+  - p_ci_templates_pages_hexo
+  - p_ci_templates_pages_middleman
+  - p_ci_templates_pages_hugo
+  - p_ci_templates_pages_pelican
+  - p_ci_templates_pages_nanoc
+  - p_ci_templates_pages_swaggerui
+  - p_ci_templates_pages_jigsaw
+  - p_ci_templates_pages_metalsmith
+  - p_ci_templates_pages_gatsby
+  - p_ci_templates_pages_html
+  - p_ci_templates_dart
+  - p_ci_templates_docker
+  - p_ci_templates_julia
+  - p_ci_templates_npm
+  - p_ci_templates_dotnet_core
+  - p_ci_templates_5_minute_production_app
+  - p_ci_templates_ruby
+  - p_ci_templates_implicit_jobs_dast_default_branch_deploy
+  - p_ci_templates_implicit_jobs_load_performance_testing
+  - p_ci_templates_implicit_jobs_helm_2to3
+  - p_ci_templates_implicit_jobs_sast
+  - p_ci_templates_implicit_jobs_secret_detection
+  - p_ci_templates_implicit_jobs_code_intelligence
+  - p_ci_templates_implicit_jobs_code_quality
+  - p_ci_templates_implicit_jobs_deploy_ecs
+  - p_ci_templates_implicit_jobs_deploy_ec2
+  - p_ci_templates_implicit_auto_devops_deploy
+  - p_ci_templates_implicit_auto_devops_build
+  - p_ci_templates_implicit_jobs_browser_performance_testing
+  - p_ci_templates_implicit_jobs_test
+  - p_ci_templates_implicit_auto_devops_deploy_latest
+  - p_ci_templates_implicit_jobs_browser_performance_testing_latest
+  - p_ci_templates_implicit_jobs_cf_provision
+  - p_ci_templates_implicit_jobs_build_latest
+  - p_ci_templates_implicit_security_sast
+  - p_ci_templates_implicit_security_dast_runner_validation
+  - p_ci_templates_implicit_security_dast_on_demand_scan
+  - p_ci_templates_implicit_security_secret_detection
+  - p_ci_templates_implicit_security_license_scanning
+  - p_ci_templates_implicit_security_coverage_fuzzing
+  - p_ci_templates_implicit_security_api_fuzzing_latest
+  - p_ci_templates_implicit_security_secure_binaries
+  - p_ci_templates_implicit_security_dast_api
+  - p_ci_templates_implicit_security_container_scanning
+  - p_ci_templates_implicit_security_dast_latest
+  - p_ci_templates_implicit_security_dependency_scanning
+  - p_ci_templates_implicit_security_api_fuzzing
+  - p_ci_templates_implicit_security_dast
+  - p_ci_templates_implicit_security_cluster_image_scanning
 distribution:
 - ce
 - ee

--- a/config/metrics/counts_7d/20210216184557_ci_templates_total_unique_counts_weekly.yml
+++ b/config/metrics/counts_7d/20210216184557_ci_templates_total_unique_counts_weekly.yml
@@ -15,20 +15,148 @@ instrumentation_class: RedisHLLMetric
 options:
  events:
  - p_ci_templates_implicit_auto_devops
-  - p_ci_templates_implicit_auto_devops_build
-  - p_ci_templates_implicit_auto_devops_deploy
-  - p_ci_templates_implicit_security_sast
-  - p_ci_templates_implicit_security_secret_detection
  - p_ci_templates_5_min_production_app
-  - p_ci_templates_auto_devops
  - p_ci_templates_aws_cf_deploy_ec2
-  - p_ci_templates_aws_deploy_ecs
  - p_ci_templates_auto_devops_build
  - p_ci_templates_auto_devops_deploy
  - p_ci_templates_auto_devops_deploy_latest
+  - p_ci_templates_terraform_base_latest
+  - p_ci_templates_terraform_base
+  - p_ci_templates_dotnet
+  - p_ci_templates_nodejs
+  - p_ci_templates_openshift
+  - p_ci_templates_auto_devops
+  - p_ci_templates_bash
+  - p_ci_templates_rust
+  - p_ci_templates_elixir
+  - p_ci_templates_clojure
+  - p_ci_templates_crystal
+  - p_ci_templates_getting_started
+  - p_ci_templates_code_quality
+  - p_ci_templates_verify_load_performance_testing
+  - p_ci_templates_verify_accessibility
+  - p_ci_templates_verify_failfast
+  - p_ci_templates_verify_browser_performance
+  - p_ci_templates_verify_browser_performance_latest
+  - p_ci_templates_grails
  - p_ci_templates_security_sast
+  - p_ci_templates_security_dast_runner_validation
+  - p_ci_templates_security_dast_on_demand_scan
  - p_ci_templates_security_secret_detection
-  - p_ci_templates_terraform_base_latest
+  - p_ci_templates_security_license_scanning
+  - p_ci_templates_security_coverage_fuzzing
+  - p_ci_templates_security_api_fuzzing_latest
+  - p_ci_templates_security_secure_binaries
+  - p_ci_templates_security_dast_api
+  - p_ci_templates_security_container_scanning
+  - p_ci_templates_security_dast_latest
+  - p_ci_templates_security_dependency_scanning
+  - p_ci_templates_security_api_fuzzing
+  - p_ci_templates_security_dast
+  - p_ci_templates_security_cluster_image_scanning
+  - p_ci_templates_ios_fastlane
+  - p_ci_templates_composer
+  - p_ci_templates_c
+  - p_ci_templates_python
+  - p_ci_templates_android_fastlane
+  - p_ci_templates_django
+  - p_ci_templates_maven
+  - p_ci_templates_flutter
+  - p_ci_templates_workflows_branch_pipelines
+  - p_ci_templates_workflows_mergerequest_pipelines
+  - p_ci_templates_laravel
+  - p_ci_templates_managed_cluster_applications
+  - p_ci_templates_php
+  - p_ci_templates_packer
+  - p_ci_templates_terraform
+  - p_ci_templates_mono
+  - p_ci_templates_serverless
+  - p_ci_templates_go
+  - p_ci_templates_scala
+  - p_ci_templates_latex
+  - p_ci_templates_android
+  - p_ci_templates_indeni_cloudrail
+  - p_ci_templates_deploy_ecs
+  - p_ci_templates_aws_cf_provision_and_deploy_ec2
+  - p_ci_templates_aws_deploy_ecs
+  - p_ci_templates_gradle
+  - p_ci_templates_chef
+  - p_ci_templates_jobs_dast_default_branch_deploy
+  - p_ci_templates_jobs_load_performance_testing
+  - p_ci_templates_jobs_helm_2to3
+  - p_ci_templates_jobs_sast
+  - p_ci_templates_jobs_secret_detection
+  - p_ci_templates_jobs_code_intelligence
+  - p_ci_templates_jobs_code_quality
+  - p_ci_templates_jobs_deploy_ecs
+  - p_ci_templates_jobs_deploy_ec2
+  - p_ci_templates_jobs_deploy
+  - p_ci_templates_jobs_build
+  - p_ci_templates_jobs_browser_performance_testing
+  - p_ci_templates_jobs_test
+  - p_ci_templates_jobs_deploy_latest
+  - p_ci_templates_jobs_browser_performance_testing_latest
+  - p_ci_templates_jobs_cf_provision
+  - p_ci_templates_jobs_build_latest
+  - p_ci_templates_terraform_latest
+  - p_ci_templates_swift
+  - p_ci_templates_pages_jekyll
+  - p_ci_templates_pages_harp
+  - p_ci_templates_pages_octopress
+  - p_ci_templates_pages_brunch
+  - p_ci_templates_pages_doxygen
+  - p_ci_templates_pages_hyde
+  - p_ci_templates_pages_lektor
+  - p_ci_templates_pages_jbake
+  - p_ci_templates_pages_hexo
+  - p_ci_templates_pages_middleman
+  - p_ci_templates_pages_hugo
+  - p_ci_templates_pages_pelican
+  - p_ci_templates_pages_nanoc
+  - p_ci_templates_pages_swaggerui
+  - p_ci_templates_pages_jigsaw
+  - p_ci_templates_pages_metalsmith
+  - p_ci_templates_pages_gatsby
+  - p_ci_templates_pages_html
+  - p_ci_templates_dart
+  - p_ci_templates_docker
+  - p_ci_templates_julia
+  - p_ci_templates_npm
+  - p_ci_templates_dotnet_core
+  - p_ci_templates_5_minute_production_app
+  - p_ci_templates_ruby
+  - p_ci_templates_implicit_jobs_dast_default_branch_deploy
+  - p_ci_templates_implicit_jobs_load_performance_testing
+  - p_ci_templates_implicit_jobs_helm_2to3
+  - p_ci_templates_implicit_jobs_sast
+  - p_ci_templates_implicit_jobs_secret_detection
+  - p_ci_templates_implicit_jobs_code_intelligence
+  - p_ci_templates_implicit_jobs_code_quality
+  - p_ci_templates_implicit_jobs_deploy_ecs
+  - p_ci_templates_implicit_jobs_deploy_ec2
+  - p_ci_templates_implicit_auto_devops_deploy
+  - p_ci_templates_implicit_auto_devops_build
+  - p_ci_templates_implicit_jobs_browser_performance_testing
+  - p_ci_templates_implicit_jobs_test
+  - p_ci_templates_implicit_auto_devops_deploy_latest
+  - p_ci_templates_implicit_jobs_browser_performance_testing_latest
+  - p_ci_templates_implicit_jobs_cf_provision
+  - p_ci_templates_implicit_jobs_build_latest
+  - p_ci_templates_implicit_security_sast
+  - p_ci_templates_implicit_security_dast_runner_validation
+  - p_ci_templates_implicit_security_dast_on_demand_scan
+  - p_ci_templates_implicit_security_secret_detection
+  - p_ci_templates_implicit_security_license_scanning
+  - p_ci_templates_implicit_security_coverage_fuzzing
+  - p_ci_templates_implicit_security_api_fuzzing_latest
+  - p_ci_templates_implicit_security_secure_binaries
+  - p_ci_templates_implicit_security_dast_api
+  - p_ci_templates_implicit_security_container_scanning
+  - p_ci_templates_implicit_security_dast_latest
+  - p_ci_templates_implicit_security_dependency_scanning
+  - p_ci_templates_implicit_security_api_fuzzing
+  - p_ci_templates_implicit_security_dast
+  - p_ci_templates_implicit_security_cluster_image_scanning
 distribution:
 - ce
 - ee

--- a/ee/app/services/app_sec/dast/scan_configs/build_service.rb
+++ b/ee/app/services/app_sec/dast/scan_configs/build_service.rb
@@ -42,7 +42,7 @@ module AppSec
        def ci_configuration
          {
            'stages' => ['dast'],
-            'include' => [{ 'template' => 'DAST-On-Demand-Scan.gitlab-ci.yml' }],
+            'include' => [{ 'template' => 'Security/DAST-On-Demand-Scan.gitlab-ci.yml' }],
            'dast' => {
              'dast_configuration' => { 'site_profile' => dast_site_profile.name, 'scanner_profile' => dast_scanner_profile&.name }.compact
            }

--- a/ee/app/services/app_sec/dast/site_validations/runner_service.rb
+++ b/ee/app/services/app_sec/dast/site_validations/runner_service.rb
@@ -30,7 +30,7 @@ module AppSec
        end

        def ci_configuration
-          { 'include' => [{ 'template' => 'DAST-Runner-Validation.gitlab-ci.yml' }] }
+          { 'include' => [{ 'template' => 'Security/DAST-Runner-Validation.gitlab-ci.yml' }] }
        end

        def dast_site_validation_variables

--- a/ee/app/services/app_sec/fuzzing/api/ci_configuration_create_service.rb
+++ b/ee/app/services/app_sec/fuzzing/api/ci_configuration_create_service.rb
@@ -19,7 +19,7 @@ module AppSec
        def preset_configuration
          {
            'stages' => ['fuzz'],
-            'include' => [{ 'template' => 'API-Fuzzing.gitlab-ci.yml' }]
+            'include' => [{ 'template' => 'Security/API-Fuzzing.gitlab-ci.yml' }]
          }
        end


--- a/ee/spec/graphql/mutations/app_sec/fuzzing/api/ci_configuration/create_spec.rb
+++ b/ee/spec/graphql/mutations/app_sec/fuzzing/api/ci_configuration/create_spec.rb
@@ -38,7 +38,7 @@ RSpec.describe Mutations::AppSec::Fuzzing::API::CiConfiguration::Create do
          )
          expect(Psych.load(subject[:configuration_yaml])).to eq({
            'stages' => ['fuzz'],
-            'include' => [{ 'template' => 'API-Fuzzing.gitlab-ci.yml' }],
+            'include' => [{ 'template' => 'Security/API-Fuzzing.gitlab-ci.yml' }],
            'variables' => {
              'FUZZAPI_HTTP_PASSWORD' => '$PASSWORD',
              'FUZZAPI_HTTP_USERNAME' => '$USERNAME',

--- a/ee/spec/requests/api/graphql/mutations/app_sec/fuzzing/api/ci_configuration/create_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/app_sec/fuzzing/api/ci_configuration/create_spec.rb
@@ -52,7 +52,7 @@ RSpec.describe 'CreateApiFuzzingCiConfiguration' do
      expect(gitlab_ci_yml_edit_path).to eq(project_ci_pipeline_editor_path(project))
      expect(Psych.load(yaml)).to eq({
        'stages' => ['fuzz'],
-        'include' => [{ 'template' => 'API-Fuzzing.gitlab-ci.yml' }],
+        'include' => [{ 'template' => 'Security/API-Fuzzing.gitlab-ci.yml' }],
        'variables' => {
          'FUZZAPI_HTTP_PASSWORD' => '$PASSWORD',
          'FUZZAPI_HTTP_USERNAME' => '$USERNAME',

--- a/ee/spec/services/app_sec/dast/scan_configs/build_service_spec.rb
+++ b/ee/spec/services/app_sec/dast/scan_configs/build_service_spec.rb
@@ -28,7 +28,7 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
        stages:
        - dast
        include:
-        - template: DAST-On-Demand-Scan.gitlab-ci.yml
+        - template: Security/DAST-On-Demand-Scan.gitlab-ci.yml
        dast:
          dast_configuration:
            site_profile: #{dast_site_profile.name}
@@ -92,7 +92,7 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
            stages:
            - dast
            include:
-            - template: DAST-On-Demand-Scan.gitlab-ci.yml
+            - template: Security/DAST-On-Demand-Scan.gitlab-ci.yml
            dast:
              dast_configuration:
                site_profile: #{dast_site_profile.name}

--- a/ee/spec/services/app_sec/fuzzing/api/ci_configuration_create_service_spec.rb
+++ b/ee/spec/services/app_sec/fuzzing/api/ci_configuration_create_service_spec.rb
@@ -23,7 +23,7 @@ RSpec.describe ::AppSec::Fuzzing::API::CiConfigurationCreateService do
      it 'returns the API fuzzing configuration based on the given parameters' do
        is_expected.to eq({
          'stages' => ['fuzz'],
-          'include' => [{ 'template' => 'API-Fuzzing.gitlab-ci.yml' }],
+          'include' => [{ 'template' => 'Security/API-Fuzzing.gitlab-ci.yml' }],
          'variables' => {
            'FUZZAPI_HTTP_PASSWORD' => '$PASSWORD',
            'FUZZAPI_HTTP_USERNAME' => '$USERNAME',
@@ -50,7 +50,7 @@ RSpec.describe ::AppSec::Fuzzing::API::CiConfigurationCreateService do
      it 'returns the API fuzzing configuration based on the given parameters' do
        is_expected.to eq({
          'stages' => ['fuzz'],
-          'include' => [{ 'template' => 'API-Fuzzing.gitlab-ci.yml' }],
+          'include' => [{ 'template' => 'Security/API-Fuzzing.gitlab-ci.yml' }],
          'variables' => {
            'FUZZAPI_HTTP_PASSWORD' => '$PASSWORD',
            'FUZZAPI_HTTP_USERNAME' => '$USERNAME',
@@ -77,7 +77,7 @@ RSpec.describe ::AppSec::Fuzzing::API::CiConfigurationCreateService do
      it 'returns the API fuzzing configuration based on the given parameters' do
        is_expected.to eq({
          'stages' => ['fuzz'],
-          'include' => [{ 'template' => 'API-Fuzzing.gitlab-ci.yml' }],
+          'include' => [{ 'template' => 'Security/API-Fuzzing.gitlab-ci.yml' }],
          'variables' => {
            'FUZZAPI_HTTP_PASSWORD' => '$PASSWORD',
            'FUZZAPI_HTTP_USERNAME' => '$USERNAME',
@@ -101,7 +101,7 @@ RSpec.describe ::AppSec::Fuzzing::API::CiConfigurationCreateService do
      it 'does not include them in the configuration' do
        is_expected.to eq({
          'stages' => ['fuzz'],
-          'include' => [{ 'template' => 'API-Fuzzing.gitlab-ci.yml' }],
+          'include' => [{ 'template' => 'Security/API-Fuzzing.gitlab-ci.yml' }],
          'variables' => {
            'FUZZAPI_HAR' => 'https://api.gov/api_spec',
            'FUZZAPI_TARGET_URL' => 'https://api.gov'

--- a/ee/spec/services/ci/create_pipeline_service/dast_configuration_spec.rb
+++ b/ee/spec/services/ci/create_pipeline_service/dast_configuration_spec.rb
@@ -22,7 +22,7 @@ RSpec.describe Ci::CreatePipelineService do
  let(:config) do
    <<~EOY
    include:
-      - template: DAST.gitlab-ci.yml
+      - template: Security/DAST.gitlab-ci.yml
    stages:
      - build
      - dast
@@ -72,6 +72,10 @@ RSpec.describe Ci::CreatePipelineService do

      project_features = project.licensed_features
      allow(project).to receive(:licensed_features).and_return(project_features << :dast)
+
+      # The latest version of the template does not run unless DAST is
+      # configured via environment variables.
+      stub_feature_flags(redirect_to_latest_template_security_dast: false)
    end

    context 'when the stage is dast' do