Merge branch '260331-sast-default-analyzers-bug' into 'master'

Bug fix for writing SAST_DEFAULT_ANALYZERS with SAST Config UI See merge request gitlab-org/gitlab!46388

Merge branch '260331-sast-default-analyzers-bug' into 'master'
Bug fix for writing SAST_DEFAULT_ANALYZERS with SAST Config UI See merge request gitlab-org/gitlab!46388
0c711543 · Sean McGivern · 5961d3df · 5ed7b3b0 · 0c711543 · 0c711543
Commit 0c711543 authored Nov 02, 2020 by Sean McGivern
3 changed files
--- a/ee/changelogs/unreleased/260331-sast-default-analyzers-bug.yml
+++ b/ee/changelogs/unreleased/260331-sast-default-analyzers-bug.yml
+---
+title: Resolve "SAST_DEFAULT_ANALYZERS is written with default value by SAST Config UI"
+merge_request: 46388
+author:
+type: fixed
--- a/ee/lib/security/ci_configuration/sast_build_actions.rb
+++ b/ee/lib/security/ci_configuration/sast_build_actions.rb
@@ -3,7 +3,7 @@
 module Security
  module CiConfiguration
    class SastBuildActions
-      SAST_DEFAULT_ANALYZERS = 'bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, sobelow, pmd-apex, kubesec'
+      SAST_DEFAULT_ANALYZERS = 'bandit, brakeman, eslint, flawfinder, gosec, kubesec, nodejs-scan, phpcs-security-audit, pmd-apex, security-code-scan, sobelow, spotbugs'

      def initialize(auto_devops_enabled, params, existing_gitlab_ci_content)
        @auto_devops_enabled = auto_devops_enabled
@@ -55,6 +55,7 @@ module Security
                                                         config['analyzers']
                                                           &.select {|a| a['enabled'] }
                                                           &.collect {|a| a['name'] }
+                                                           &.sort
                                                           &.join(', ')
                                                       else
                                                         SAST_DEFAULT_ANALYZERS

--- a/ee/spec/lib/security/ci_configuration/sast_build_actions_spec.rb
+++ b/ee/spec/lib/security/ci_configuration/sast_build_actions_spec.rb
@@ -64,11 +64,11 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
    params.merge( { 'analyzers' =>
                    [
                      {
-                        'name' =>  "brakeman",
+                        'name' =>  "flawfinder",
                        'enabled' =>  true
                      },
                      {
-                        'name' =>  "flawfinder",
+                        'name' =>  "brakeman",
                        'enabled' =>  true
                      }
                    ] }
@@ -305,6 +305,20 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
    end
  end

+  describe 'Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS' do
+    subject(:variable) {Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS}
+
+    it 'is sorted alphabetically' do
+      sorted_variable = Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS
+        .split(',')
+        .map(&:strip)
+        .sort
+        .join(', ')
+
+      expect(variable).to eq(sorted_variable)
+    end
+  end
+
  # stubbing this method allows this spec file to use fast_spec_helper
  def fast_auto_devops_stages
    auto_devops_template = YAML.safe_load( File.read('lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml') )