Commit 42ef9329 authored by Matija Čupić's avatar Matija Čupić

Merge branch '287691-ds-excluded-analyzers' into 'master'

Add DS_EXCLUDED_ANALYZERS var to DS tpl

See merge request gitlab-org/gitlab!61529
parents 2e474792 ae340254
---
title: Add DS_EXCLUDED_ANALYZERS var to Dependency Scanning template
merge_request: 61529
author:
type: added
......@@ -56,10 +56,10 @@ variables:
This configuration requires that your custom registry provides images for all
the official analyzers.
### Selecting specific analyzers
### Disable specific analyzers
You can select the official analyzers you want to run. Here's how to enable
`bundler-audit` and `gemnasium` while disabling all the other default ones.
You can select the official analyzers you don't want to run. Here's how to disable
`bundler-audit` and `gemnasium` analyzers.
In `.gitlab-ci.yml` define:
```yaml
......@@ -67,26 +67,23 @@ include:
template: Dependency-Scanning.gitlab-ci.yml
variables:
DS_DEFAULT_ANALYZERS: "bundler-audit,gemnasium"
DS_EXCLUDED_ANALYZERS: "bundler-audit, gemnasium"
```
`bundler-audit` runs first. When merging the reports, Dependency Scanning
removes the duplicates and keeps the `bundler-audit` entries.
### Disabling default analyzers
Setting `DS_DEFAULT_ANALYZERS` to an empty string disables all the official
default analyzers. In `.gitlab-ci.yml` define:
Setting `DS_EXCLUDED_ANALYZERS` to a list of the official analyzers disables them.
In `.gitlab-ci.yml` define:
```yaml
include:
template: Dependency-Scanning.gitlab-ci.yml
variables:
DS_DEFAULT_ANALYZERS: ""
DS_EXCLUDED_ANALYZERS: "gemnasium, gemansium-maven, gemnasium-python, bundler-audit, retire.js"
```
That's needed when one totally relies on [custom analyzers](#custom-analyzers).
This is used when one totally relies on [custom analyzers](#custom-analyzers).
## Custom analyzers
......
......@@ -169,7 +169,8 @@ The following variables allow configuration of global dependency scanning settin
| CI/CD variables | Description |
| ----------------------------|------------ |
| `ADDITIONAL_CA_CERT_BUNDLE` | Bundle of CA certs to trust. The bundle of certificates provided here is also used by other tools during the scanning process, such as `git`, `yarn`, or `npm`. See [Using a custom SSL CA certificate authority](#using-a-custom-ssl-ca-certificate-authority) for more details. |
| `DS_DEFAULT_ANALYZERS` | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). |
| `DS_EXCLUDED_ANALYZERS` | Specify the analyzers (by name) to exclude from Dependency Scanning. For more information, see [Dependency Scanning Analyzers](analyzers.md). |
| `DS_DEFAULT_ANALYZERS` | ([**DEPRECATED - use `DS_EXCLUDED_ANALYZERS` instead**](https://gitlab.com/gitlab-org/gitlab/-/issues/287691)) Override the names of the official default images. For more information, see [Dependency Scanning Analyzers](analyzers.md). |
| `DS_EXCLUDED_PATHS` | Exclude vulnerabilities from output based on the paths. A comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. Default: `"spec, test, tests, tmp"`. |
| `SECURE_ANALYZERS_PREFIX` | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). |
| `SECURE_LOG_LEVEL` | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1. Default: `info`. |
......@@ -564,8 +565,8 @@ such references:
ERROR: Could not find dependencies: <dependency-name>. You may need to run npm install
```
As a workaround, remove the [`retire.js`](analyzers.md#selecting-specific-analyzers) analyzer from
[DS_DEFAULT_ANALYZERS](#configuring-dependency-scanning).
As a workaround, add the [`retire.js`](analyzers.md) analyzer to
[`DS_EXCLUDED_ANALYZERS`](#configuring-dependency-scanning).
## Troubleshooting
......
......@@ -45,6 +45,46 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
end
end
context 'when DS_EXCLUDED_ANALYZERS set to' do
let(:files) { { 'conan.lock' => '', 'Gemfile.lock' => '', 'package.json' => '', 'pom.xml' => '', 'Pipfile' => '' } }
describe 'exclude' do
using RSpec::Parameterized::TableSyntax
where(:case_name, :excluded_analyzers, :included_build_names) do
'nothing' | [] | %w(gemnasium-dependency_scanning gemnasium-maven-dependency_scanning gemnasium-python-dependency_scanning bundler-audit-dependency_scanning retire-js-dependency_scanning)
'gemnasium' | %w(gemnasium) | %w(gemnasium-maven-dependency_scanning gemnasium-python-dependency_scanning bundler-audit-dependency_scanning retire-js-dependency_scanning)
'gemnasium-maven' | %w(gemnasium-maven) | %w(gemnasium-dependency_scanning gemnasium-python-dependency_scanning bundler-audit-dependency_scanning retire-js-dependency_scanning)
'gemnasium-python' | %w(gemnasium-python) | %w(gemnasium-dependency_scanning gemnasium-maven-dependency_scanning bundler-audit-dependency_scanning retire-js-dependency_scanning)
'bundler-audit' | %w(bundler-audit) | %w(gemnasium-dependency_scanning gemnasium-maven-dependency_scanning gemnasium-python-dependency_scanning retire-js-dependency_scanning)
'retire.js' | %w(retire.js) | %w(gemnasium-dependency_scanning gemnasium-maven-dependency_scanning gemnasium-python-dependency_scanning bundler-audit-dependency_scanning)
'two' | %w(gemnasium bundler-audit) | %w(gemnasium-maven-dependency_scanning gemnasium-python-dependency_scanning retire-js-dependency_scanning)
'three' | %w(gemnasium-maven retire.js gemnasium) | %w(gemnasium-python-dependency_scanning bundler-audit-dependency_scanning)
'four' | %w(gemnasium-maven retire.js gemnasium bundler-audit) | %w(gemnasium-python-dependency_scanning)
end
with_them do
before do
create(:ci_variable, project: project, key: 'DS_EXCLUDED_ANALYZERS', value: excluded_analyzers.join(','))
end
it "creates pipeline with excluded analyzers skipped" do
expect(build_names).to include(*included_build_names)
end
end
context 'all analyzers excluded' do
before do
create(:ci_variable, project: project, key: 'DS_EXCLUDED_ANALYZERS', value: 'gemnasium-maven, retire.js, gemnasium-python, gemnasium, bundler-audit')
end
it 'creates a pipeline excluding jobs from specified analyzers' do
expect { build_names }.to raise_error(Ci::CreatePipelineService::CreateError, %r(No stages / jobs for this pipeline.))
end
end
end
end
context 'by default' do
describe 'language detection' do
using RSpec::Parameterized::TableSyntax
......
......@@ -8,8 +8,8 @@ variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
DS_EXCLUDED_ANALYZERS: ""
DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
DS_MAJOR_VERSION: 2
......@@ -45,6 +45,8 @@ gemnasium-dependency_scanning:
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/
......@@ -71,6 +73,8 @@ gemnasium-maven-dependency_scanning:
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-maven/
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/
......@@ -92,6 +96,8 @@ gemnasium-python-dependency_scanning:
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
......@@ -120,6 +126,8 @@ bundler-audit-dependency_scanning:
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /bundler-audit/
......@@ -138,6 +146,8 @@ retire-js-dependency_scanning:
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /retire.js/
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /retire.js/
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment