Add DS_EXCLUDED_ANALYZERS var to DS tpl

changelogs/unreleased/287691-ds-excluded-analyzers.yml

+---
+title: Add DS_EXCLUDED_ANALYZERS var to Dependency Scanning template
+merge_request: 61529
+author:
+type: added

doc/user/application_security/dependency_scanning/analyzers.md

@@ -56,10 +56,10 @@ variables:
 This configuration requires that your custom registry provides images for all
 the official analyzers.
 
-### Selecting specific analyzers
+### Disable specific analyzers
 
-You can select the official analyzers you want to run. Here's how to enable
-`bundler-audit` and `gemnasium` while disabling all the other default ones.
+You can select the official analyzers you don't want to run. Here's how to disable
+`bundler-audit` and `gemnasium` analyzers.
 In `.gitlab-ci.yml` define:
 
 ```yaml
@@ -67,26 +67,23 @@ include:
   template: Dependency-Scanning.gitlab-ci.yml
 
 variables:
-  DS_DEFAULT_ANALYZERS: "bundler-audit,gemnasium"
+  DS_EXCLUDED_ANALYZERS: "bundler-audit, gemnasium"
 ```
 
-`bundler-audit` runs first. When merging the reports, Dependency Scanning
-removes the duplicates and keeps the `bundler-audit` entries.
-
 ### Disabling default analyzers
 
-Setting `DS_DEFAULT_ANALYZERS` to an empty string disables all the official
-default analyzers. In `.gitlab-ci.yml` define:
+Setting `DS_EXCLUDED_ANALYZERS` to a list of the official analyzers disables them.
+In `.gitlab-ci.yml` define:
 
 ```yaml
 include:
   template: Dependency-Scanning.gitlab-ci.yml
 
 variables:
-  DS_DEFAULT_ANALYZERS: ""
+  DS_EXCLUDED_ANALYZERS: "gemnasium, gemansium-maven, gemnasium-python, bundler-audit, retire.js"
 ```
 
-That's needed when one totally relies on [custom analyzers](#custom-analyzers).
+This is used when one totally relies on [custom analyzers](#custom-analyzers).
 
 ## Custom analyzers
 

doc/user/application_security/dependency_scanning/index.md

@@ -169,7 +169,8 @@ The following variables allow configuration of global dependency scanning settin
 | CI/CD variables             | Description |
 | ----------------------------|------------ |
 | `ADDITIONAL_CA_CERT_BUNDLE` | Bundle of CA certs to trust. The bundle of certificates provided here is also used by other tools during the scanning process, such as `git`, `yarn`, or `npm`. See [Using a custom SSL CA certificate authority](#using-a-custom-ssl-ca-certificate-authority) for more details. |
-| `DS_DEFAULT_ANALYZERS`      | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). |
+| `DS_EXCLUDED_ANALYZERS`      | Specify the analyzers (by name) to exclude from Dependency Scanning. For more information, see [Dependency Scanning Analyzers](analyzers.md). |
+| `DS_DEFAULT_ANALYZERS`      | ([**DEPRECATED - use `DS_EXCLUDED_ANALYZERS` instead**](https://gitlab.com/gitlab-org/gitlab/-/issues/287691)) Override the names of the official default images. For more information, see [Dependency Scanning Analyzers](analyzers.md). |
 | `DS_EXCLUDED_PATHS`         | Exclude vulnerabilities from output based on the paths. A comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. Default: `"spec, test, tests, tmp"`. |
 | `SECURE_ANALYZERS_PREFIX`   | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). |
 | `SECURE_LOG_LEVEL`          | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1. Default: `info`. |
@@ -564,8 +565,8 @@ such references:
 ERROR: Could not find dependencies: <dependency-name>. You may need to run npm install
 ```
 
-As a workaround, remove the [`retire.js`](analyzers.md#selecting-specific-analyzers) analyzer from
-[DS_DEFAULT_ANALYZERS](#configuring-dependency-scanning).
+As a workaround, add the [`retire.js`](analyzers.md) analyzer to
+[`DS_EXCLUDED_ANALYZERS`](#configuring-dependency-scanning).
 
 ## Troubleshooting
 

ee/spec/lib/gitlab/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb

@@ -45,6 +45,46 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
         end
       end
 
+      context 'when DS_EXCLUDED_ANALYZERS set to' do
+        let(:files) { { 'conan.lock' => '', 'Gemfile.lock' => '', 'package.json' => '', 'pom.xml' => '', 'Pipfile' => '' } }
+
+        describe 'exclude' do
+          using RSpec::Parameterized::TableSyntax
+
+          where(:case_name, :excluded_analyzers, :included_build_names) do
+            'nothing'          | []                                                    | %w(gemnasium-dependency_scanning gemnasium-maven-dependency_scanning gemnasium-python-dependency_scanning bundler-audit-dependency_scanning retire-js-dependency_scanning)
+            'gemnasium'        | %w(gemnasium)                                         | %w(gemnasium-maven-dependency_scanning gemnasium-python-dependency_scanning bundler-audit-dependency_scanning retire-js-dependency_scanning)
+            'gemnasium-maven'  | %w(gemnasium-maven)                                   | %w(gemnasium-dependency_scanning gemnasium-python-dependency_scanning bundler-audit-dependency_scanning retire-js-dependency_scanning)
+            'gemnasium-python' | %w(gemnasium-python)                                  | %w(gemnasium-dependency_scanning gemnasium-maven-dependency_scanning bundler-audit-dependency_scanning retire-js-dependency_scanning)
+            'bundler-audit'    | %w(bundler-audit)                                     | %w(gemnasium-dependency_scanning gemnasium-maven-dependency_scanning gemnasium-python-dependency_scanning retire-js-dependency_scanning)
+            'retire.js'        | %w(retire.js)                                         | %w(gemnasium-dependency_scanning gemnasium-maven-dependency_scanning gemnasium-python-dependency_scanning bundler-audit-dependency_scanning)
+            'two'              | %w(gemnasium bundler-audit)                           | %w(gemnasium-maven-dependency_scanning gemnasium-python-dependency_scanning retire-js-dependency_scanning)
+            'three'            | %w(gemnasium-maven retire.js gemnasium)               | %w(gemnasium-python-dependency_scanning bundler-audit-dependency_scanning)
+            'four'             | %w(gemnasium-maven retire.js gemnasium bundler-audit) | %w(gemnasium-python-dependency_scanning)
+          end
+
+          with_them do
+            before do
+              create(:ci_variable, project: project, key: 'DS_EXCLUDED_ANALYZERS', value: excluded_analyzers.join(','))
+            end
+
+            it "creates pipeline with excluded analyzers skipped" do
+              expect(build_names).to include(*included_build_names)
+            end
+          end
+
+          context 'all analyzers excluded' do
+            before do
+              create(:ci_variable, project: project, key: 'DS_EXCLUDED_ANALYZERS', value: 'gemnasium-maven, retire.js, gemnasium-python, gemnasium, bundler-audit')
+            end
+
+            it 'creates a pipeline excluding jobs from specified analyzers' do
+              expect { build_names }.to raise_error(Ci::CreatePipelineService::CreateError, %r(No stages / jobs for this pipeline.))
+            end
+          end
+        end
+      end
+
       context 'by default' do
         describe 'language detection' do
           using RSpec::Parameterized::TableSyntax

lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml

@@ -8,8 +8,8 @@ variables:
   # Setting this variable will affect all Security templates
   # (SAST, Dependency Scanning, ...)
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
-
   DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
+  DS_EXCLUDED_ANALYZERS: ""
   DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
   DS_MAJOR_VERSION: 2
 
@@ -45,6 +45,8 @@ gemnasium-dependency_scanning:
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED
       when: never
+    - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/
+      when: never
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/
@@ -71,6 +73,8 @@ gemnasium-maven-dependency_scanning:
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED
       when: never
+    - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-maven/
+      when: never
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/
@@ -92,6 +96,8 @@ gemnasium-python-dependency_scanning:
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED
       when: never
+    - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/
+      when: never
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
@@ -120,6 +126,8 @@ bundler-audit-dependency_scanning:
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED
       when: never
+    - if: $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/
+      when: never
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /bundler-audit/
@@ -138,6 +146,8 @@ retire-js-dependency_scanning:
   rules:
     - if: $DEPENDENCY_SCANNING_DISABLED
       when: never
+    - if: $DS_EXCLUDED_ANALYZERS =~ /retire.js/
+      when: never
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
           $DS_DEFAULT_ANALYZERS =~ /retire.js/