Skip to content

G
gitlab-ce
Commit 9ead4da9 authored by Dmytro Zaporozhets (DZ)'s avatar Dmytro Zaporozhets (DZ)
Browse files
Options

Merge branch '301216-deprecate-sast-analyzer-image-var' into 'master' 

Deprecate global usage of SAST_ANALYZER_IMAGE_TAG

See merge request gitlab-org/gitlab!62724
parents acd3831e d1880e31
Hide whitespace changes
Inline Side-by-side
Showing with 19 additions and 25 deletions
app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json
View file @ 9ead4da9
...@@ -18,15 +18,6 @@ ...@@ -18,15 +18,6 @@
"value": "", "value": "",
"size": "MEDIUM", "size": "MEDIUM",
"description": "Comma-separated list of paths to be excluded from analyzer output. Patterns can be globs, file paths, or folder paths." "description": "Comma-separated list of paths to be excluded from analyzer output. Patterns can be globs, file paths, or folder paths."
},
{
"field" : "SAST_ANALYZER_IMAGE_TAG",
"label" : "Image tag",
"type": "string",
"default_value": "",
"value": "",
"size": "SMALL",
"description": "Analyzer image's tag"
} }
], ],
"pipeline": [ "pipeline": [
......
doc/user/application_security/sast/index.md
View file @ 9ead4da9
...@@ -454,7 +454,6 @@ The following are Docker image-related CI/CD variables. ...@@ -454,7 +454,6 @@ The following are Docker image-related CI/CD variables.
| CI/CD variable | Description | | CI/CD variable | Description |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------| |---------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
| `SECURE_ANALYZERS_PREFIX` | Override the name of the Docker registry providing the default images (proxy). Read more about [customizing analyzers](analyzers.md). | | `SECURE_ANALYZERS_PREFIX` | Override the name of the Docker registry providing the default images (proxy). Read more about [customizing analyzers](analyzers.md). |
| `SAST_ANALYZER_IMAGE_TAG` | **DEPRECATED:** Override the Docker tag of the default images. Read more about [customizing analyzers](analyzers.md). |
| `SAST_EXCLUDED_ANALYZERS` | Names of default images that should never run. Read more about [customizing analyzers](analyzers.md). | | `SAST_EXCLUDED_ANALYZERS` | Names of default images that should never run. Read more about [customizing analyzers](analyzers.md). |
#### Vulnerability filters #### Vulnerability filters
......
lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
View file @ 9ead4da9
...@@ -11,7 +11,6 @@ variables: ...@@ -11,7 +11,6 @@ variables:
SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, sobelow, pmd-apex, kubesec, mobsf, semgrep" SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, sobelow, pmd-apex, kubesec, mobsf, semgrep"
SAST_EXCLUDED_ANALYZERS: "" SAST_EXCLUDED_ANALYZERS: ""
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
SAST_ANALYZER_IMAGE_TAG: 2
SCAN_KUBERNETES_MANIFESTS: "false" SCAN_KUBERNETES_MANIFESTS: "false"
sast: sast:
...@@ -43,6 +42,7 @@ bandit-sast: ...@@ -43,6 +42,7 @@ bandit-sast:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -62,6 +62,7 @@ brakeman-sast: ...@@ -62,6 +62,7 @@ brakeman-sast:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -82,6 +83,7 @@ eslint-sast: ...@@ -82,6 +83,7 @@ eslint-sast:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -105,6 +107,7 @@ flawfinder-sast: ...@@ -105,6 +107,7 @@ flawfinder-sast:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -125,6 +128,7 @@ kubesec-sast: ...@@ -125,6 +128,7 @@ kubesec-sast:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -143,6 +147,7 @@ gosec-sast: ...@@ -143,6 +147,7 @@ gosec-sast:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -162,6 +167,7 @@ gosec-sast: ...@@ -162,6 +167,7 @@ gosec-sast:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
mobsf-android-sast: mobsf-android-sast:
...@@ -200,6 +206,7 @@ nodejs-scan-sast: ...@@ -200,6 +206,7 @@ nodejs-scan-sast:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -219,6 +226,7 @@ phpcs-security-audit-sast: ...@@ -219,6 +226,7 @@ phpcs-security-audit-sast:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -238,6 +246,7 @@ pmd-apex-sast: ...@@ -238,6 +246,7 @@ pmd-apex-sast:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -257,6 +266,7 @@ security-code-scan-sast: ...@@ -257,6 +266,7 @@ security-code-scan-sast:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -277,6 +287,7 @@ semgrep-sast: ...@@ -277,6 +287,7 @@ semgrep-sast:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -300,6 +311,7 @@ sobelow-sast: ...@@ -300,6 +311,7 @@ sobelow-sast:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -319,6 +331,7 @@ spotbugs-sast: ...@@ -319,6 +331,7 @@ spotbugs-sast:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_EXCLUDED_ANALYZERS =~ /spotbugs/ - if: $SAST_EXCLUDED_ANALYZERS =~ /spotbugs/
......
lib/security/ci_configuration/sast_build_action.rb
View file @ 9ead4da9
...@@ -114,7 +114,6 @@ module Security ...@@ -114,7 +114,6 @@ module Security
def sast_variables def sast_variables
%w( %w(
SAST_ANALYZER_IMAGE_TAG
SAST_EXCLUDED_PATHS SAST_EXCLUDED_PATHS
SEARCH_MAX_DEPTH SEARCH_MAX_DEPTH
SAST_EXCLUDED_ANALYZERS SAST_EXCLUDED_ANALYZERS
......
qa/qa/specs/features/ee/browser_ui/secure/enable_sast_from_configuration_spec.rb
View file @ 9ead4da9
...@@ -17,7 +17,6 @@ module QA ...@@ -17,7 +17,6 @@ module QA
[ [
%w(SECURE_ANALYZERS_PREFIX registry.example.com), %w(SECURE_ANALYZERS_PREFIX registry.example.com),
%w(SAST_EXCLUDED_PATHS foo,\ bar), %w(SAST_EXCLUDED_PATHS foo,\ bar),
%w(SAST_ANALYZER_IMAGE_TAG latest),
%w(SAST_BANDIT_EXCLUDED_PATHS exclude_path_a,\ exclude_path_b) %w(SAST_BANDIT_EXCLUDED_PATHS exclude_path_a,\ exclude_path_b)
] ]
end end
......
spec/lib/security/ci_configuration/sast_build_action_spec.rb
View file @ 9ead4da9
...@@ -12,7 +12,6 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do ...@@ -12,7 +12,6 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
[ [
{ 'field' => 'stage', 'defaultValue' => 'test', 'value' => 'test' }, { 'field' => 'stage', 'defaultValue' => 'test', 'value' => 'test' },
{ 'field' => 'SEARCH_MAX_DEPTH', 'defaultValue' => 4, 'value' => 4 }, { 'field' => 'SEARCH_MAX_DEPTH', 'defaultValue' => 4, 'value' => 4 },
{ 'field' => 'SAST_ANALYZER_IMAGE_TAG', 'defaultValue' => 2, 'value' => 2 },
{ 'field' => 'SAST_EXCLUDED_PATHS', 'defaultValue' => 'spec, test, tests, tmp', 'value' => 'spec, test, tests, tmp' } { 'field' => 'SAST_EXCLUDED_PATHS', 'defaultValue' => 'spec, test, tests, tmp', 'value' => 'spec, test, tests, tmp' }
] } ] }
end end
...@@ -26,7 +25,6 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do ...@@ -26,7 +25,6 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
[ [
{ 'field' => 'stage', 'defaultValue' => 'test', 'value' => 'security' }, { 'field' => 'stage', 'defaultValue' => 'test', 'value' => 'security' },
{ 'field' => 'SEARCH_MAX_DEPTH', 'defaultValue' => 4, 'value' => 1 }, { 'field' => 'SEARCH_MAX_DEPTH', 'defaultValue' => 4, 'value' => 1 },
{ 'field' => 'SAST_ANALYZER_IMAGE_TAG', 'defaultValue' => 2, 'value' => 2 },
{ 'field' => 'SAST_EXCLUDED_PATHS', 'defaultValue' => 'spec, test, tests, tmp', 'value' => 'spec,docs' } { 'field' => 'SAST_EXCLUDED_PATHS', 'defaultValue' => 'spec, test, tests, tmp', 'value' => 'spec,docs' }
] } ] }
end end
...@@ -176,7 +174,6 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do ...@@ -176,7 +174,6 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
[ [
{ 'field' => 'stage', 'defaultValue' => 'test', 'value' => 'brand_new_stage' }, { 'field' => 'stage', 'defaultValue' => 'test', 'value' => 'brand_new_stage' },
{ 'field' => 'SEARCH_MAX_DEPTH', 'defaultValue' => 4, 'value' => 5 }, { 'field' => 'SEARCH_MAX_DEPTH', 'defaultValue' => 4, 'value' => 5 },
{ 'field' => 'SAST_ANALYZER_IMAGE_TAG', 'defaultValue' => 2, 'value' => 2 },
{ 'field' => 'SAST_EXCLUDED_PATHS', 'defaultValue' => 'spec, test, tests, tmp', 'value' => 'spec,docs' } { 'field' => 'SAST_EXCLUDED_PATHS', 'defaultValue' => 'spec, test, tests, tmp', 'value' => 'spec,docs' }
] } ] }
end end
...@@ -227,27 +224,27 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do ...@@ -227,27 +224,27 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
def existing_gitlab_ci_and_template_array_without_sast def existing_gitlab_ci_and_template_array_without_sast
{ "stages" => %w(test security), { "stages" => %w(test security),
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" }, "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
"sast" => { "variables" => { "SAST_ANALYZER_IMAGE_TAG" => 2, "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" }, "sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" },
"include" => [{ "template" => "existing.yml" }] } "include" => [{ "template" => "existing.yml" }] }
end end
def existing_gitlab_ci_and_single_template_with_sast_and_default_stage def existing_gitlab_ci_and_single_template_with_sast_and_default_stage
{ "stages" => %w(test), { "stages" => %w(test),
"variables" => { "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" }, "variables" => { "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
"sast" => { "variables" => { "SAST_ANALYZER_IMAGE_TAG" => 2, "SEARCH_MAX_DEPTH" => 1 }, "stage" => "test" }, "sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "test" },
"include" => { "template" => "Security/SAST.gitlab-ci.yml" } } "include" => { "template" => "Security/SAST.gitlab-ci.yml" } }
end end
def existing_gitlab_ci_and_single_template_without_sast def existing_gitlab_ci_and_single_template_without_sast
{ "stages" => %w(test security), { "stages" => %w(test security),
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" }, "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
"sast" => { "variables" => { "SAST_ANALYZER_IMAGE_TAG" => 2, "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" }, "sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" },
"include" => { "template" => "existing.yml" } } "include" => { "template" => "existing.yml" } }
end end
def existing_gitlab_ci_with_no_variables def existing_gitlab_ci_with_no_variables
{ "stages" => %w(test security), { "stages" => %w(test security),
"sast" => { "variables" => { "SAST_ANALYZER_IMAGE_TAG" => 2, "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" }, "sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" },
"include" => [{ "template" => "Security/SAST.gitlab-ci.yml" }] } "include" => [{ "template" => "Security/SAST.gitlab-ci.yml" }] }
end end
...@@ -267,7 +264,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do ...@@ -267,7 +264,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
def existing_gitlab_ci def existing_gitlab_ci
{ "stages" => %w(test security), { "stages" => %w(test security),
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "bad_prefix" }, "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "bad_prefix" },
"sast" => { "variables" => { "SAST_ANALYZER_IMAGE_TAG" => 2, "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" }, "sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" },
"include" => [{ "template" => "Security/SAST.gitlab-ci.yml" }] } "include" => [{ "template" => "Security/SAST.gitlab-ci.yml" }] }
end end
end end
......
spec/services/security/ci_configuration/sast_parser_service_spec.rb
View file @ 9ead4da9
...@@ -9,7 +9,6 @@ RSpec.describe Security::CiConfiguration::SastParserService do ...@@ -9,7 +9,6 @@ RSpec.describe Security::CiConfiguration::SastParserService do
let(:configuration) { described_class.new(project).configuration } let(:configuration) { described_class.new(project).configuration }
let(:secure_analyzers_prefix) { configuration['global'][0] } let(:secure_analyzers_prefix) { configuration['global'][0] }
let(:sast_excluded_paths) { configuration['global'][1] } let(:sast_excluded_paths) { configuration['global'][1] }
let(:sast_analyzer_image_tag) { configuration['global'][2] }
let(:sast_pipeline_stage) { configuration['pipeline'][0] } let(:sast_pipeline_stage) { configuration['pipeline'][0] }
let(:sast_search_max_depth) { configuration['pipeline'][1] } let(:sast_search_max_depth) { configuration['pipeline'][1] }
let(:bandit) { configuration['analyzers'][0] } let(:bandit) { configuration['analyzers'][0] }
...@@ -19,7 +18,6 @@ RSpec.describe Security::CiConfiguration::SastParserService do ...@@ -19,7 +18,6 @@ RSpec.describe Security::CiConfiguration::SastParserService do
it 'parses the configuration for SAST' do it 'parses the configuration for SAST' do
expect(secure_analyzers_prefix['default_value']).to eql('registry.gitlab.com/gitlab-org/security-products/analyzers') expect(secure_analyzers_prefix['default_value']).to eql('registry.gitlab.com/gitlab-org/security-products/analyzers')
expect(sast_excluded_paths['default_value']).to eql('spec, test, tests, tmp') expect(sast_excluded_paths['default_value']).to eql('spec, test, tests, tmp')
expect(sast_analyzer_image_tag['default_value']).to eql('2')
expect(sast_pipeline_stage['default_value']).to eql('test') expect(sast_pipeline_stage['default_value']).to eql('test')
expect(sast_search_max_depth['default_value']).to eql('4') expect(sast_search_max_depth['default_value']).to eql('4')
expect(brakeman['enabled']).to be(true) expect(brakeman['enabled']).to be(true)
...@@ -32,7 +30,6 @@ RSpec.describe Security::CiConfiguration::SastParserService do ...@@ -32,7 +30,6 @@ RSpec.describe Security::CiConfiguration::SastParserService do
allow(project.repository).to receive(:blob_data_at).and_return(gitlab_ci_yml_content) allow(project.repository).to receive(:blob_data_at).and_return(gitlab_ci_yml_content)
expect(secure_analyzers_prefix['value']).to eql('registry.gitlab.com/gitlab-org/security-products/analyzers2') expect(secure_analyzers_prefix['value']).to eql('registry.gitlab.com/gitlab-org/security-products/analyzers2')
expect(sast_excluded_paths['value']).to eql('spec, executables') expect(sast_excluded_paths['value']).to eql('spec, executables')
expect(sast_analyzer_image_tag['value']).to eql('2')
expect(sast_pipeline_stage['value']).to eql('our_custom_security_stage') expect(sast_pipeline_stage['value']).to eql('our_custom_security_stage')
expect(sast_search_max_depth['value']).to eql('8') expect(sast_search_max_depth['value']).to eql('8')
expect(brakeman['enabled']).to be(false) expect(brakeman['enabled']).to be(false)
...@@ -64,7 +61,6 @@ RSpec.describe Security::CiConfiguration::SastParserService do ...@@ -64,7 +61,6 @@ RSpec.describe Security::CiConfiguration::SastParserService do
allow(project.repository).to receive(:blob_data_at).and_return(nil) allow(project.repository).to receive(:blob_data_at).and_return(nil)
expect(secure_analyzers_prefix['value']).to eql('registry.gitlab.com/gitlab-org/security-products/analyzers') expect(secure_analyzers_prefix['value']).to eql('registry.gitlab.com/gitlab-org/security-products/analyzers')
expect(sast_excluded_paths['value']).to eql('spec, test, tests, tmp') expect(sast_excluded_paths['value']).to eql('spec, test, tests, tmp')
expect(sast_analyzer_image_tag['value']).to eql('2')
expect(sast_pipeline_stage['value']).to eql('test') expect(sast_pipeline_stage['value']).to eql('test')
expect(sast_search_max_depth['value']).to eql('4') expect(sast_search_max_depth['value']).to eql('4')
expect(brakeman['enabled']).to be(true) expect(brakeman['enabled']).to be(true)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7