Commit a92eb346 authored by Lucas Charles's avatar Lucas Charles

Migrate Dependency-Scanning CI template to rules syntax

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/36547
parent 03b84967
---
title: Migrate Dependency-Scanning CI template to rules syntax
merge_request: 30907
author:
type: changed
...@@ -8,7 +8,8 @@ describe 'Dependency-Scanning.gitlab-ci.yml' do ...@@ -8,7 +8,8 @@ describe 'Dependency-Scanning.gitlab-ci.yml' do
describe 'the created pipeline' do describe 'the created pipeline' do
let(:user) { create(:admin) } let(:user) { create(:admin) }
let(:default_branch) { 'master' } let(:default_branch) { 'master' }
let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) } let(:files) { { 'README.txt' => '' } }
let(:project) { create(:project, :custom_repo, files: files) }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) } let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
let(:pipeline) { service.execute!(:push) } let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) } let(:build_names) { pipeline.builds.pluck(:name) }
...@@ -48,37 +49,51 @@ describe 'Dependency-Scanning.gitlab-ci.yml' do ...@@ -48,37 +49,51 @@ describe 'Dependency-Scanning.gitlab-ci.yml' do
end end
end end
context 'when DS_DISABLE_DIND=1' do context 'when DS_DISABLE_DIND=true' do
before do before do
create(:ci_variable, project: project, key: 'DS_DISABLE_DIND', value: '1') create(:ci_variable, project: project, key: 'DS_DISABLE_DIND', value: 'true')
end end
describe 'language detection' do describe 'language detection' do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
where(:case_name, :variables, :include_build_names) do where(:case_name, :files, :include_build_names) do
'Go' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "go" } | %w(gemnasium-dependency_scanning) 'Go' | { 'go.sum' => '' } | %w(gemnasium-dependency_scanning)
'Java' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "java" } | %w(gemnasium-maven-dependency_scanning) 'Java' | { 'pom.xml' => '' } | %w(gemnasium-maven-dependency_scanning)
'Javascript' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "javascript" } | %w(gemnasium-dependency_scanning retire-js-dependency_scanning) 'Java Gradle' | { 'build.gradle' => '' } | %w(gemnasium-maven-dependency_scanning)
'Multiple languages' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "java,javascript" } | %w(gemnasium-dependency_scanning gemnasium-maven-dependency_scanning retire-js-dependency_scanning) 'Javascript' | { 'package.json' => '' } | %w(retire-js-dependency_scanning)
'PHP' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "php" } | %w(gemnasium-dependency_scanning) 'Javascript package-lock.json' | { 'package-lock.json' => '' } | %w(gemnasium-dependency_scanning)
'Python' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "python" } | %w(gemnasium-python-dependency_scanning) 'Javascript yarn.lock' | { 'yarn.lock' => '' } | %w(gemnasium-dependency_scanning)
'Ruby' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "ruby" } | %w(bundler-audit-dependency_scanning gemnasium-dependency_scanning) 'Javascript npm-shrinkwrap.json' | { 'npm-shrinkwrap.json' => '' } | %w(gemnasium-dependency_scanning)
'Scala' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "scala" } | %w(gemnasium-maven-dependency_scanning) 'Multiple languages' | { 'pom.xml' => '', 'package.json' => '' } | %w(gemnasium-maven-dependency_scanning retire-js-dependency_scanning)
'PHP' | { 'composer.lock' => '' } | %w(gemnasium-dependency_scanning)
'Python requirements.txt' | { 'requirements.txt' => '' } | %w(gemnasium-python-dependency_scanning)
'Python requirements.pip' | { 'requirements.pip' => '' } | %w(gemnasium-python-dependency_scanning)
'Python Pipfile' | { 'Pipfile' => '' } | %w(gemnasium-python-dependency_scanning)
'Python Pipfile.lock' | { 'Pipfile.lock' => '' } | %w(gemnasium-dependency_scanning)
'Python requires.txt' | { 'requires.txt' => '' } | %w(gemnasium-python-dependency_scanning)
'Python with setup.py' | { 'setup.py' => '' } | %w(gemnasium-python-dependency_scanning)
'Ruby Gemfile.lock' | { 'Gemfile.lock' => '' } | %w(bundler-audit-dependency_scanning gemnasium-dependency_scanning)
'Ruby gems.locked' | { 'gems.locked' => '' } | %w(gemnasium-dependency_scanning)
'Scala' | { 'build.sbt' => '' } | %w(gemnasium-maven-dependency_scanning)
end end
with_them do with_them do
before do
variables.each do |(key, value)|
create(:ci_variable, project: project, key: key, value: value)
end
end
it 'creates a pipeline with the expected jobs' do it 'creates a pipeline with the expected jobs' do
expect(build_names).to include(*include_build_names) expect(build_names).to include(*include_build_names)
end end
end end
end end
context 'when PIP_REQUIREMENTS_FILE is defined' do
before do
create(:ci_variable, project: project, key: 'PIP_REQUIREMENTS_FILE', value: '/some/path/requirements.txt')
end
it 'creates a pipeline with the expected jobs' do
expect(build_names).to include('gemnasium-python-dependency_scanning')
end
end
end end
end end
end end
......
...@@ -72,23 +72,20 @@ dependency_scanning: ...@@ -72,23 +72,20 @@ dependency_scanning:
reports: reports:
dependency_scanning: gl-dependency-scanning-report.json dependency_scanning: gl-dependency-scanning-report.json
dependencies: [] dependencies: []
only: rules:
refs: - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'true'
- branches when: never
variables: - if: $CI_COMMIT_BRANCH &&
- $GITLAB_FEATURES =~ /\bdependency_scanning\b/ $GITLAB_FEATURES =~ /\bdependency_scanning\b/
except:
variables:
- $DEPENDENCY_SCANNING_DISABLED
- $DS_DISABLE_DIND == 'true'
.ds-analyzer: .ds-analyzer:
extends: dependency_scanning extends: dependency_scanning
services: [] services: []
except: rules:
variables: - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
- $DEPENDENCY_SCANNING_DISABLED when: never
- $DS_DISABLE_DIND == 'false' - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/
script: script:
- /analyzer run - /analyzer run
...@@ -96,48 +93,82 @@ gemnasium-dependency_scanning: ...@@ -96,48 +93,82 @@ gemnasium-dependency_scanning:
extends: .ds-analyzer extends: .ds-analyzer
image: image:
name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium:$DS_MAJOR_VERSION" name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium:$DS_MAJOR_VERSION"
only: rules:
variables: - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bdependency_scanning\b/ && when: never
$DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /ruby|javascript|php|\bgo\b/ $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/
exists:
- 'Gemfile.lock'
- 'Pipfile.lock'
- 'composer.lock'
- 'gems.locked'
- 'go.sum'
- 'npm-shrinkwrap.json'
- 'package-lock.json'
- 'yarn.lock'
gemnasium-maven-dependency_scanning: gemnasium-maven-dependency_scanning:
extends: .ds-analyzer extends: .ds-analyzer
image: image:
name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION" name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
only: rules:
variables: - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bdependency_scanning\b/ && when: never
$DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(java|scala)\b/ $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/
exists:
- 'build.gradle'
- 'build.sbt'
- 'pom.xml'
gemnasium-python-dependency_scanning: gemnasium-python-dependency_scanning:
extends: .ds-analyzer extends: .ds-analyzer
image: image:
name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium-python:$DS_MAJOR_VERSION" name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
only: rules:
variables: - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bdependency_scanning\b/ && when: never
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /python/ $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
exists:
- 'requirements.txt'
- 'requirements.pip'
- 'Pipfile'
- 'requires.txt'
- 'setup.py'
# Support passing of $PIP_REQUIREMENTS_FILE
# See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
$PIP_REQUIREMENTS_FILE
bundler-audit-dependency_scanning: bundler-audit-dependency_scanning:
extends: .ds-analyzer extends: .ds-analyzer
image: image:
name: "$DS_ANALYZER_IMAGE_PREFIX/bundler-audit:$DS_MAJOR_VERSION" name: "$DS_ANALYZER_IMAGE_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
only: rules:
variables: - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bdependency_scanning\b/ && when: never
$DS_DEFAULT_ANALYZERS =~ /bundler-audit/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /ruby/ $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /bundler-audit/
exists:
- 'Gemfile.lock'
retire-js-dependency_scanning: retire-js-dependency_scanning:
extends: .ds-analyzer extends: .ds-analyzer
image: image:
name: "$DS_ANALYZER_IMAGE_PREFIX/retire.js:$DS_MAJOR_VERSION" name: "$DS_ANALYZER_IMAGE_PREFIX/retire.js:$DS_MAJOR_VERSION"
only: rules:
variables: - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bdependency_scanning\b/ && when: never
$DS_DEFAULT_ANALYZERS =~ /retire.js/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/ $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /retire.js/
exists:
- 'package.json'
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment