Improve SAST NO_DIND language detection regex

- Add word boundaries for all matches - Improve flawfinder regex to eliminate c# matches Related to https://gitlab.com/gitlab-org/gitlab/-/issues/197958

Improve SAST NO_DIND language detection regex
- Add word boundaries for all matches - Improve flawfinder regex to eliminate c# matches Related to https://gitlab.com/gitlab-org/gitlab/-/issues/197958
bf295522 · Lucas Charles · 806839fe · bf295522 · bf295522 · bf295522
Commit bf295522 authored Mar 25, 2020 by Lucas Charles
3 changed files
--- a/changelogs/unreleased/197958-improve-sast-file-detection-regex-boundaries.yml
+++ b/changelogs/unreleased/197958-improve-sast-file-detection-regex-boundaries.yml
+---
+title: Improve SAST NO_DIND file detection with proper boundary conditions
+merge_request: 28036
+author:
+type: fixed
--- a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+describe 'SAST.gitlab-ci.yml' do
+  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('SAST') }
+  describe 'the created pipeline' do
+    let(:user) { create(:admin) }
+    let(:default_branch) { 'master' }
+    let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
+    let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
+    let(:pipeline) { service.execute!(:push) }
+    let(:build_names) { pipeline.builds.pluck(:name) }
+    before do
+      stub_ci_pipeline_yaml_file(template.content)
+      allow_any_instance_of(Ci::BuildScheduleWorker).to receive(:perform).and_return(true)
+      allow(project).to receive(:default_branch).and_return(default_branch)
+    end
+    context 'when project has no license' do
+      it 'includes no jobs' do
+        expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+      end
+    end
+    context 'when project has Ultimate license' do
+      let(:license) { create(:license, plan: License::ULTIMATE_PLAN) }
+      before do
+        allow(License).to receive(:current).and_return(license)
+      end
+      context 'by default' do
+        it 'includes orchestrator job' do
+          expect(build_names).to match_array(%w[sast])
+        end
+      end
+      context 'when SAST_DISABLED=1' do
+        before do
+          create(:ci_variable, project: project, key: 'SAST_DISABLED', value: '1')
+        end
+        it 'includes no jobs' do
+          expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+        end
+      end
+      context 'when SAST_DISABLE_DIND=1' do
+        before do
+          create(:ci_variable, project: project, key: 'SAST_DISABLE_DIND', value: '1')
+        end
+        describe 'language detection' do
+          using RSpec::Parameterized::TableSyntax
+          where(:case_name, :variables, :include_build_names) do
+            'No match'             | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "" }                | %w(secrets-sast)
+            'Apex'                 | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "apex" }            | %w(pmd-apex-sast secrets-sast)
+            'C'                    | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "c" }               | %w(flawfinder-sast secrets-sast)
+            'C++'                  | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "c++" }             | %w(flawfinder-sast secrets-sast)
+            'C#'                   | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "c#" }              | %w(security-code-scan-sast secrets-sast)
+            'Elixir'               | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "elixir" }          | %w(sobelow-sast secrets-sast)
+            'Golang'               | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "go" }              | %w(gosec-sast secrets-sast)
+            'Groovy'               | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "groovy" }          | %w(spotbugs-sast secrets-sast)
+            'Java'                 | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "java" }            | %w(spotbugs-sast secrets-sast)
+            'Javascript'           | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "javascript" }      | %w(eslint-sast nodejs-scan-sast secrets-sast)
+            'Kubernetes Manifests' | { "SCAN_KUBERNETES_MANIFESTS" => "true" }                  | %w(kubesec-sast secrets-sast)
+            'Multiple languages'   | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "java,javascript" } | %w(eslint-sast nodejs-scan-sast spotbugs-sast secrets-sast)
+            'PHP'                  | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "php" }             | %w(phpcs-security-audit-sast secrets-sast)
+            'Python'               | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "python" }          | %w(bandit-sast secrets-sast)
+            'Ruby'                 | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "ruby" }            | %w(brakeman-sast secrets-sast)
+            'Scala'                | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "scala" }           | %w(spotbugs-sast secrets-sast)
+            'Typescript'           | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "typescript" }      | %w(tslint-sast secrets-sast)
+            'Visual Basic'         | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "visual basic" }    | %w(security-code-scan-sast secrets-sast)
+          end
+          with_them do
+            before do
+              variables.each do |(key, value)|
+                create(:ci_variable, project: project, key: key, value: value)
+              end
+            end
+            it 'creates a pipeline with the expected jobs' do
+              expect(build_names).to include(*include_build_names)
+            end
+          end
+        end
+      end
+    end
+  end
+end
--- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
@@ -65,7 +65,7 @@ bandit-sast:
    variables:
      - $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /bandit/&&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /python/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bpython\b/
 brakeman-sast:
  extends: .sast-analyzer
@@ -75,7 +75,7 @@ brakeman-sast:
    variables:
      - $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /brakeman/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /ruby/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bruby\b/
 eslint-sast:
  extends: .sast-analyzer
@@ -85,7 +85,7 @@ eslint-sast:
    variables:
      - $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /eslint/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/
 flawfinder-sast:
  extends: .sast-analyzer
@@ -95,7 +95,7 @@ flawfinder-sast:
    variables:
      - $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /flawfinder/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\+\+|c)\b/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /(c(\+\+)?,)|(c(\+\+)?$)/
 kubesec-sast:
  extends: .sast-analyzer
@@ -125,7 +125,7 @@ nodejs-scan-sast:
    variables:
      - $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/
 phpcs-security-audit-sast:
  extends: .sast-analyzer
@@ -135,7 +135,7 @@ phpcs-security-audit-sast:
    variables:
      - $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /php/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bphp\b/
 pmd-apex-sast:
  extends: .sast-analyzer
@@ -145,7 +145,7 @@ pmd-apex-sast:
    variables:
      - $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /pmd-apex/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /apex/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bapex\b/
 secrets-sast:
  extends: .sast-analyzer
@@ -174,7 +174,7 @@ sobelow-sast:
    variables:
      - $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /sobelow/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /elixir/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\belixir\b/
 spotbugs-sast:
  extends: .sast-analyzer
@@ -194,4 +194,4 @@ tslint-sast:
    variables:
      - $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /tslint/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /typescript/
+          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\btypescript\b/