Merge branch 'bump-sast-scs-major-version-to-3' into 'master'

feat: Bump major security-code-scan sast version for 15.0 See merge request gitlab-org/gitlab!79569

Merge branch 'bump-sast-scs-major-version-to-3' into 'master'
feat: Bump major security-code-scan sast version for 15.0 See merge request gitlab-org/gitlab!79569
1a88a78b · Bob Van Landuyt · e7827dbc · 925cee67 · 1a88a78b · 1a88a78b
Commit 1a88a78b authored Feb 07, 2022 by Bob Van Landuyt
3 changed files
--- a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
@@ -101,6 +101,30 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
          end
        end
      end
+
+      context 'when setting image tag dynamically' do
+        using RSpec::Parameterized::TableSyntax
+
+        where(:case_name, :files, :gitlab_version, :image_tag) do
+          'security-code-scan-sast' | { 'app.csproj' => '' } | 14 | '2'
+          'security-code-scan-sast' | { 'app.csproj' => '' } | 15 | '3'
+        end
+
+        with_them do
+          before do
+            allow(Gitlab::VersionInfo).to receive(:parse).and_return(
+              Gitlab::VersionInfo.new(gitlab_version)
+            )
+          end
+
+          it 'creates a build with the expected tag' do
+            expect(build_names).to include(case_name)
+
+            image_tags = pipeline.builds.map { |build| build.variables["SAST_ANALYZER_IMAGE_TAG"].value }
+            expect(image_tags).to match_array([image_tag])
+          end
+        end
+      end
    end
  end
 end
--- a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
@@ -221,14 +221,23 @@ security-code-scan-sast:
  image:
    name: "$SAST_ANALYZER_IMAGE"
  variables:
-    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
  rules:
    - if: $SAST_DISABLED
      when: never
    - if: $SAST_EXCLUDED_ANALYZERS =~ /security-code-scan/
      when: never
+    # This rule shim will be removed in %15.0,
+    # See https://gitlab.com/gitlab-org/gitlab/-/issues/350935
+    - if: $CI_COMMIT_BRANCH && $CI_SERVER_VERSION_MAJOR == '14'
+      variables:
+        SAST_ANALYZER_IMAGE_TAG: '2'
+      exists:
+        - '**/*.csproj'
+        - '**/*.vbproj'
    - if: $CI_COMMIT_BRANCH
+      variables:
+        SAST_ANALYZER_IMAGE_TAG: '3'
      exists:
        - '**/*.csproj'
        - '**/*.vbproj'

--- a/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
@@ -109,6 +109,8 @@ phpcs-security-audit:

 security-code-scan:
  extends: .download_images
+  variables:
+    SECURE_BINARIES_ANALYZER_VERSION: "3"
  only:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&