Merge branch 'narrow-down-sast-rules' into 'master'

ci: Update report jobs with latest from templates and run upon changes

See merge request gitlab-org/gitlab!71457

.gitlab/ci/dast.gitlab-ci.yml

@@ -37,6 +37,7 @@
     reports:
       dast: gl-dast-report.json
     expire_in: 1 week  # GitLab-specific
+  allow_failure: true
 
 # DAST scan with a subset of Release scan rules.
 # ZAP rule details can be found at https://www.zaproxy.org/docs/alerts/

.gitlab/ci/reports.gitlab-ci.yml

 include:
   - template: Jobs/Code-Quality.gitlab-ci.yml
-  - template: Security/SAST.gitlab-ci.yml
-  - template: Security/Secret-Detection.gitlab-ci.yml
+  - template: Jobs/SAST.gitlab-ci.yml
+  - template: Jobs/Secret-Detection.gitlab-ci.yml
   - template: Security/Dependency-Scanning.gitlab-ci.yml
   - template: Security/License-Scanning.gitlab-ci.yml
 
@@ -13,6 +13,7 @@ code_quality:
     paths:
       - gl-code-quality-report.json  # GitLab-specific
   rules: !reference [".reports:rules:code_quality", rules]
+  allow_failure: true
 
 .sast-analyzer:
   # We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
@@ -30,13 +31,16 @@ code_quality:
     SAST_EXCLUDED_ANALYZERS: bandit, flawfinder, phpcs-security-audit, pmd-apex, security-code-scan, spotbugs, eslint
 
 brakeman-sast:
-  rules: !reference [".reports:rules:sast", rules]
+  rules: !reference [".reports:rules:brakeman-sast", rules]
+  allow_failure: true
 
 nodejs-scan-sast:
-  rules: !reference [".reports:rules:sast", rules]
+  rules: !reference [".reports:rules:nodejs-scan-sast", rules]
+  allow_failure: true
 
 semgrep-sast:
-  rules: !reference [".reports:rules:sast", rules]
+  rules: !reference [".reports:rules:semgrep-sast", rules]
+  allow_failure: true
 
 gosec-sast:
   variables:
@@ -52,7 +56,8 @@ gosec-sast:
   cache:
     paths:
       - vendor/go
-  rules: !reference [".reports:rules:sast", rules]
+  rules: !reference [".reports:rules:gosec-sast", rules]
+  allow_failure: true
 
 .secret-analyzer:
   extends: .default-retry
@@ -64,6 +69,7 @@ gosec-sast:
 
 secret_detection:
   rules: !reference [".reports:rules:secret_detection", rules]
+  allow_failure: true
 
 .ds-analyzer:
   # We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
@@ -88,21 +94,24 @@ gemnasium-dependency_scanning:
     # Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
     - jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json
   rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules]
+  allow_failure: true
 
 bundler-audit-dependency_scanning:
   rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules]
+  allow_failure: true
 
 retire-js-dependency_scanning:
   rules: !reference [".reports:rules:retire-js-dependency_scanning", rules]
+  allow_failure: true
 
 gemnasium-python-dependency_scanning:
   rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules]
+  allow_failure: true
 
 # Analyze dependencies for malicious behavior
 # See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
 .package_hunter-base:
-  extends:
-    - .default-retry
+  extends: .default-retry
   stage: test
   image:
     name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:1.1.0
@@ -116,6 +125,8 @@ gemnasium-python-dependency_scanning:
   before_script:
     - rm -r spec locale .git app/assets/images doc/
     - cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
+  script:
+    - node /usr/src/app/cli.js analyze --format gitlab --manager ${PACKAGE_MANAGER} gitlab.tgz | tee ${CI_PROJECT_DIR}/gl-dependency-scanning-report.json
   artifacts:
     paths:
       - gl-dependency-scanning-report.json
@@ -127,15 +138,15 @@ package_hunter-yarn:
   extends:
     - .package_hunter-base
     - .reports:rules:package_hunter-yarn
-  script:
-    - node /usr/src/app/cli.js analyze --format gitlab --manager yarn gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
+  variables:
+    PACKAGE_MANAGER: yarn
 
 package_hunter-bundler:
   extends:
     - .package_hunter-base
     - .reports:rules:package_hunter-bundler
-  script:
-    - node /usr/src/app/cli.js analyze --format gitlab --manager bundler gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
+  variables:
+    PACKAGE_MANAGER: bundler
 
 license_scanning:
   extends: .default-retry
@@ -143,3 +154,4 @@ license_scanning:
   artifacts:
     expire_in: 1 week  # GitLab-specific
   rules: !reference [".reports:rules:license_scanning", rules]
+  allow_failure: true

.gitlab/ci/rules.gitlab-ci.yml

@@ -1254,75 +1254,85 @@
       when: never
     - <<: *if-default-refs
       changes: *code-backstage-patterns
-      allow_failure: true
 
-.reports:rules:sast:
+.reports:rules:brakeman-sast:
   rules:
-    - if: '$SAST_DISABLED || $GITLAB_FEATURES !~ /\bsast\b/'
+    - if: $SAST_DISABLED
       when: never
-    - <<: *if-default-refs
-      changes: *code-backstage-qa-patterns
-      allow_failure: true
+    - if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/
+      when: never
+    - changes:
+        - '**/*.rb'
+        - '**/Gemfile'
+
+.reports:rules:nodejs-scan-sast:
+  rules:
+    - if: $SAST_DISABLED
+      when: never
+    - if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/
+      when: never
+    - changes:
+        - '**/package.json'
+
+.reports:rules:gosec-sast:
+  rules:
+    - if: $SAST_DISABLED
+      when: never
+    - if: $SAST_EXCLUDED_ANALYZERS =~ /gosec/
+      when: never
+    - changes:
+        - '**/*.go'
+
+.reports:rules:semgrep-sast:
+  rules:
+    - if: $SAST_DISABLED
+      when: never
+    - if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
+      when: never
+    - changes:
+        - '**/*.py'
+        - '**/*.js'
+        - '**/*.jsx'
+        - '**/*.ts'
+        - '**/*.tsx'
+        - '**/*.c'
+        - '**/*.go'
 
 .reports:rules:secret_detection:
   rules:
     - if: '$SECRET_DETECTION_DISABLED'
       when: never
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'  # The Secret-Detection template already has a `secret_detection_default_branch` job
-      when: never
     - changes: *code-backstage-qa-patterns
-      allow_failure: true
 
 .reports:rules:gemnasium-dependency_scanning:
   rules:
-    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/'
+    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/ || $DS_DEFAULT_ANALYZERS !~ /gemnasium([^-]|$)/'
       when: never
-    - <<: *if-default-refs
-      changes: *dependency-patterns
-      allow_failure: true
+    - changes: *dependency-patterns
 
 .reports:rules:bundler-audit-dependency_scanning:
   rules:
-    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/'
+    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/ || $DS_DEFAULT_ANALYZERS !~ /bundler-audit/'
       when: never
-    - <<: *if-default-refs
-      changes: *bundler-patterns
-      allow_failure: true
+    - changes: *bundler-patterns
 
 .reports:rules:retire-js-dependency_scanning:
   rules:
-    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /retire.js/'
+    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /retire.js/ || $DS_DEFAULT_ANALYZERS !~ /retire.js/'
       when: never
-    - <<: *if-default-refs
-      changes: *nodejs-patterns
-      allow_failure: true
+    - changes: *nodejs-patterns
 
 .reports:rules:gemnasium-python-dependency_scanning:
   rules:
-    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/'
+    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/ || $DS_DEFAULT_ANALYZERS !~ /gemnasium-python/'
       when: never
-    - <<: *if-default-refs
-      changes: *python-patterns
-      allow_failure: true
-
-.reports:rules:dast:
-  rules:
-    - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
-      when: never
-    - <<: *if-dot-com-gitlab-org-merge-request
-      changes: *frontend-patterns
-      allow_failure: true
-    - <<: *if-dot-com-gitlab-org-merge-request
-      changes: *code-qa-patterns
-      when: manual
-      allow_failure: true
+    - changes: *python-patterns
 
 .reports:rules:schedule-dast:
   rules:
     - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
       when: never
     - <<: *if-dot-com-ee-nightly-schedule
-      allow_failure: true
 
 .reports:rules:package_hunter-yarn:
   rules:
@@ -1342,11 +1352,9 @@
 
 .reports:rules:license_scanning:
   rules:
-    - if: '$LICENSE_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\blicense_scanning\b/'
+    - if: '$LICENSE_MANAGEMENT_DISABLED || $GITLAB_FEATURES !~ /\blicense_scanning\b/'
       when: never
-    - <<: *if-default-refs
-      changes: *code-backstage-qa-patterns
-      allow_failure: true
+    - changes: *code-backstage-qa-patterns
 
 ################
 # Review rules #