Make SAST compatible with private dependencies

Enable the propagation of all of the job ENV vars to the sast docker container and thus to the analyzer containers being started by it. This enables passing credentials for private repos being accessed by underlying analyzers via UI-set environment variables. Exclude a bunch of system-related ENV vars from propagation.

Make SAST compatible with private dependencies
Enable the propagation of all of the job ENV vars to the sast docker container and thus to the analyzer containers being started by it. This enables passing credentials for private repos being accessed by underlying analyzers via UI-set environment variables. Exclude a bunch of system-related ENV vars from propagation.
42bb0907 · Victor Zagorodny · Sean McGivern · 462f7942 · 42bb0907 · 42bb0907
Commit 42bb0907 authored Oct 22, 2019 by Victor Zagorodny Committed by Sean McGivern Oct 22, 2019
3 changed files
--- a/changelogs/unreleased/11137-propagate-all-env-vars-to-sast-containers.yml
+++ b/changelogs/unreleased/11137-propagate-all-env-vars-to-sast-containers.yml
+---
+title: Propagate custom environment variables to SAST analyzers
+merge_request: 18193
+author:
+type: changed
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -146,7 +146,15 @@ sast:
    CI_DEBUG_TRACE: "true"
 ```

-### Using a variable to pass username and password to a private Maven repository
+### Using environment variables to pass credentials for private repositories
+
+Some analyzers require downloading the project's dependencies in order to
+perform the analysis. In turn, such dependencies may live in private Git
+repositories and thus require credentials like username and password to download them.
+Depending on the analyzer, such credentials can be provided to
+it via [custom environment variables](#custom-environment-variables).
+
+#### Using a variable to pass username and password to a private Maven repository

 If you have a private Apache Maven repository that requires login credentials,
 you can use the `MAVEN_CLI_OPTS` [environment variable](#available-variables)
@@ -234,6 +242,19 @@ Some analyzers can be customized with environment variables.
 | `SBT_PATH`              | spotbugs | Path to the `sbt` executable. |
 | `FAIL_NEVER`            | spotbugs | Set to `1` to ignore compilation failure. |

+#### Custom environment variables
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/merge_requests/18193) in GitLab Ultimate 12.5.
+
+In addition to the aforementioned SAST configuration variables,
+all [custom environment variables](../../../ci/variables/README.md#creating-a-custom-environment-variable) are propagated
+to the underlying SAST analyzer images if
+[the SAST vendored template](#configuration) is used.
+
+CAUTION: **Caution:**
+Variables having names starting with these prefixes will **not** be propagated to the SAST Docker container and/or
+analyzer containers: `DOCKER_`, `CI`, `GITLAB_`, `FF_`, `HOME`, `PWD`, `OLDPWD`, `PATH`, `SHLVL`, `HOSTNAME`.
+
 ## Reports JSON format

 CAUTION: **Caution:**

--- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
@@ -35,45 +35,12 @@ sast:
          export DOCKER_HOST='tcp://localhost:2375'
        fi
      fi
-    - | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
-      function propagate_env_vars() {
-        CURRENT_ENV=$(printenv)
-
-        for VAR_NAME; do
-          echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
-        done
-      }
+    - |
+      printenv | grep -E '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | cut -d'=' -f1 | \
+        (while IFS='\\n' read -r VAR; do unset -v "$VAR"; done; /bin/printenv > .env)
    - |
      docker run \
-        $(propagate_env_vars \
-          SAST_BANDIT_EXCLUDED_PATHS \
-          SAST_ANALYZER_IMAGES \
-          SAST_ANALYZER_IMAGE_PREFIX \
-          SAST_ANALYZER_IMAGE_TAG \
-          SAST_DEFAULT_ANALYZERS \
-          SAST_PULL_ANALYZER_IMAGES \
-          SAST_BRAKEMAN_LEVEL \
-          SAST_FLAWFINDER_LEVEL \
-          SAST_GITLEAKS_ENTROPY_LEVEL \
-          SAST_GOSEC_LEVEL \
-          SAST_EXCLUDED_PATHS \
-          SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
-          SAST_PULL_ANALYZER_IMAGE_TIMEOUT \
-          SAST_RUN_ANALYZER_TIMEOUT \
-          SAST_JAVA_VERSION \
-          ANT_HOME \
-          ANT_PATH \
-          GRADLE_PATH \
-          JAVA_OPTS \
-          JAVA_PATH \
-          JAVA_8_VERSION \
-          JAVA_11_VERSION \
-          MAVEN_CLI_OPTS \
-          MAVEN_PATH \
-          MAVEN_REPO_PATH \
-          SBT_PATH \
-          FAIL_NEVER \
-        ) \
+        --env-file .env \
        --volume "$PWD:/code" \
        --volume /var/run/docker.sock:/var/run/docker.sock \
        "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code