Merge branch 'rf-remove-sast-config-ui-support-for-var' into 'master'

Remove Config UI support of SAST_DEFAULT_ANALYZERS [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!63317

app/services/security/ci_configuration/sast_parser_service.rb

@@ -74,19 +74,11 @@ module Security
 
       def sast_excluded_analyzers
         strong_memoize(:sast_excluded_analyzers) do
-          all_analyzers = Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS.split(', ') rescue []
-          enabled_analyzers = sast_default_analyzers.split(',').map(&:strip) rescue []
-
           excluded_analyzers = gitlab_ci_yml_attributes["SAST_EXCLUDED_ANALYZERS"] || sast_template_attributes["SAST_EXCLUDED_ANALYZERS"]
-          excluded_analyzers = excluded_analyzers.split(',').map(&:strip) rescue []
-          ((all_analyzers - enabled_analyzers) + excluded_analyzers).uniq
+          excluded_analyzers.split(',').map(&:strip) rescue []
         end
       end
 
-      def sast_default_analyzers
-        @sast_default_analyzers ||= gitlab_ci_yml_attributes["SAST_DEFAULT_ANALYZERS"] || sast_template_attributes["SAST_DEFAULT_ANALYZERS"]
-      end
-
       def sast_template_attributes
         @sast_template_attributes ||= build_sast_attributes(sast_template_content)
       end

lib/security/ci_configuration/sast_build_action.rb

@@ -3,8 +3,6 @@
 module Security
   module CiConfiguration
     class SastBuildAction < BaseBuildAction
-      SAST_DEFAULT_ANALYZERS = 'bandit, brakeman, eslint, flawfinder, gosec, kubesec, nodejs-scan, phpcs-security-audit, pmd-apex, security-code-scan, semgrep, sobelow, spotbugs'
-
       def initialize(auto_devops_enabled, params, existing_gitlab_ci_content)
         super(auto_devops_enabled, existing_gitlab_ci_content)
         @variables = variables(params)

spec/lib/security/ci_configuration/sast_build_action_spec.rb

@@ -144,8 +144,6 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
           subject(:result) { described_class.new(auto_devops_enabled, params_with_analyzer_info, gitlab_ci_content).generate }
 
           it 'writes SAST_EXCLUDED_ANALYZERS' do
-            stub_const('Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS', 'bandit, brakeman, flawfinder')
-
             expect(result[:content]).to eq(sast_yaml_with_no_variables_set_but_analyzers)
           end
         end
@@ -155,9 +153,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
 
           subject(:result) { described_class.new(auto_devops_enabled, params_with_all_analyzers_enabled, gitlab_ci_content).generate }
 
-          it 'does not write SAST_DEFAULT_ANALYZERS or SAST_EXCLUDED_ANALYZERS' do
-            stub_const('Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS', 'brakeman, flawfinder')
-
+          it 'does not write SAST_EXCLUDED_ANALYZERS' do
             expect(result[:content]).to eq(sast_yaml_with_no_variables_set)
           end
         end
@@ -316,20 +312,6 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
     end
   end
 
-  describe 'Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS' do
-    subject(:variable) {Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS}
-
-    it 'is sorted alphabetically' do
-      sorted_variable = Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS
-        .split(',')
-        .map(&:strip)
-        .sort
-        .join(', ')
-
-      expect(variable).to eq(sorted_variable)
-    end
-  end
-
   # stubbing this method allows this spec file to use fast_spec_helper
   def fast_auto_devops_stages
     auto_devops_template = YAML.safe_load( File.read('lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml') )

spec/services/security/ci_configuration/sast_parser_service_spec.rb

@@ -37,15 +37,6 @@ RSpec.describe Security::CiConfiguration::SastParserService do
           expect(sast_brakeman_level['value']).to eql('2')
         end
 
-        context 'SAST_DEFAULT_ANALYZERS is set' do
-          it 'enables analyzers correctly' do
-            allow(project.repository).to receive(:blob_data_at).and_return(gitlab_ci_yml_default_analyzers_content)
-
-            expect(brakeman['enabled']).to be(false)
-            expect(bandit['enabled']).to be(true)
-          end
-        end
-
         context 'SAST_EXCLUDED_ANALYZERS is set' do
           it 'enables analyzers correctly' do
             allow(project.repository).to receive(:blob_data_at).and_return(gitlab_ci_yml_excluded_analyzers_content)

spec/support/gitlab_stubs/gitlab_ci_for_sast.yml

@@ -4,7 +4,6 @@ include:
 variables:
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers2"
   SAST_EXCLUDED_PATHS: "spec, executables"
-  SAST_DEFAULT_ANALYZERS: "bandit, brakeman"
   SAST_EXCLUDED_ANALYZERS: "brakeman"
 
 stages:

spec/support/gitlab_stubs/gitlab_ci_for_sast_default_analyzers.yml

-include:
-  - template: SAST.gitlab-ci.yml
-
-variables:
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers2"
-  SAST_EXCLUDED_PATHS: "spec, executables"
-  SAST_DEFAULT_ANALYZERS: "bandit, gosec"
-
-stages:
-  - our_custom_security_stage
-sast:
-  stage:  our_custom_security_stage
-  variables:
-    SEARCH_MAX_DEPTH: 8
-    SAST_BRAKEMAN_LEVEL: 2

spec/support/shared_contexts/read_ci_configuration_shared_context.rb

@@ -5,10 +5,6 @@ RSpec.shared_context 'read ci configuration for sast enabled project' do
     File.read(Rails.root.join('spec/support/gitlab_stubs/gitlab_ci_for_sast.yml'))
   end
 
-  let_it_be(:gitlab_ci_yml_default_analyzers_content) do
-    File.read(Rails.root.join('spec/support/gitlab_stubs/gitlab_ci_for_sast_default_analyzers.yml'))
-  end
-
   let_it_be(:gitlab_ci_yml_excluded_analyzers_content) do
     File.read(Rails.root.join('spec/support/gitlab_stubs/gitlab_ci_for_sast_excluded_analyzers.yml'))
   end