Merge branch 'rf-remove-sast-config-ui-support-for-var' into 'master'

Remove Config UI support of SAST_DEFAULT_ANALYZERS [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!63317

Merge branch 'rf-remove-sast-config-ui-support-for-var' into 'master'
Remove Config UI support of SAST_DEFAULT_ANALYZERS [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!63317
610f8d6a · Tetiana Chupryna · 6e3ae3a1 · b80cb56d · 610f8d6a · 610f8d6a
Commit 610f8d6a authored Jun 11, 2021 by Tetiana Chupryna
7 changed files
--- a/app/services/security/ci_configuration/sast_parser_service.rb
+++ b/app/services/security/ci_configuration/sast_parser_service.rb
@@ -74,17 +74,9 @@ module Security
      def sast_excluded_analyzers
        strong_memoize(:sast_excluded_analyzers) do
-          all_analyzers = Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS.split(', ') rescue []
-          enabled_analyzers = sast_default_analyzers.split(',').map(&:strip) rescue []
          excluded_analyzers = gitlab_ci_yml_attributes["SAST_EXCLUDED_ANALYZERS"] || sast_template_attributes["SAST_EXCLUDED_ANALYZERS"]
-          excluded_analyzers = excluded_analyzers.split(',').map(&:strip) rescue []
+          excluded_analyzers.split(',').map(&:strip) rescue []
-          ((all_analyzers - enabled_analyzers) + excluded_analyzers).uniq
-        end
        end
-      def sast_default_analyzers
-        @sast_default_analyzers ||= gitlab_ci_yml_attributes["SAST_DEFAULT_ANALYZERS"] || sast_template_attributes["SAST_DEFAULT_ANALYZERS"]
      end
      def sast_template_attributes

--- a/lib/security/ci_configuration/sast_build_action.rb
+++ b/lib/security/ci_configuration/sast_build_action.rb
@@ -3,8 +3,6 @@
 module Security
  module CiConfiguration
    class SastBuildAction < BaseBuildAction
-      SAST_DEFAULT_ANALYZERS = 'bandit, brakeman, eslint, flawfinder, gosec, kubesec, nodejs-scan, phpcs-security-audit, pmd-apex, security-code-scan, semgrep, sobelow, spotbugs'
      def initialize(auto_devops_enabled, params, existing_gitlab_ci_content)
        super(auto_devops_enabled, existing_gitlab_ci_content)
        @variables = variables(params)

--- a/spec/lib/security/ci_configuration/sast_build_action_spec.rb
+++ b/spec/lib/security/ci_configuration/sast_build_action_spec.rb
@@ -144,8 +144,6 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
          subject(:result) { described_class.new(auto_devops_enabled, params_with_analyzer_info, gitlab_ci_content).generate }
          it 'writes SAST_EXCLUDED_ANALYZERS' do
-            stub_const('Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS', 'bandit, brakeman, flawfinder')
            expect(result[:content]).to eq(sast_yaml_with_no_variables_set_but_analyzers)
          end
        end
@@ -155,9 +153,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
          subject(:result) { described_class.new(auto_devops_enabled, params_with_all_analyzers_enabled, gitlab_ci_content).generate }
-          it 'does not write SAST_DEFAULT_ANALYZERS or SAST_EXCLUDED_ANALYZERS' do
+          it 'does not write SAST_EXCLUDED_ANALYZERS' do
-            stub_const('Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS', 'brakeman, flawfinder')
            expect(result[:content]).to eq(sast_yaml_with_no_variables_set)
          end
        end
@@ -316,20 +312,6 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
    end
  end
-  describe 'Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS' do
-    subject(:variable) {Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS}
-    it 'is sorted alphabetically' do
-      sorted_variable = Security::CiConfiguration::SastBuildAction::SAST_DEFAULT_ANALYZERS
-        .split(',')
-        .map(&:strip)
-        .sort
-        .join(', ')
-      expect(variable).to eq(sorted_variable)
-    end
-  end
  # stubbing this method allows this spec file to use fast_spec_helper
  def fast_auto_devops_stages
    auto_devops_template = YAML.safe_load( File.read('lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml') )

--- a/spec/services/security/ci_configuration/sast_parser_service_spec.rb
+++ b/spec/services/security/ci_configuration/sast_parser_service_spec.rb
@@ -37,15 +37,6 @@ RSpec.describe Security::CiConfiguration::SastParserService do
          expect(sast_brakeman_level['value']).to eql('2')
        end
-        context 'SAST_DEFAULT_ANALYZERS is set' do
-          it 'enables analyzers correctly' do
-            allow(project.repository).to receive(:blob_data_at).and_return(gitlab_ci_yml_default_analyzers_content)
-            expect(brakeman['enabled']).to be(false)
-            expect(bandit['enabled']).to be(true)
-          end
-        end
        context 'SAST_EXCLUDED_ANALYZERS is set' do
          it 'enables analyzers correctly' do
            allow(project.repository).to receive(:blob_data_at).and_return(gitlab_ci_yml_excluded_analyzers_content)

--- a/spec/support/gitlab_stubs/gitlab_ci_for_sast.yml
+++ b/spec/support/gitlab_stubs/gitlab_ci_for_sast.yml
@@ -4,7 +4,6 @@ include:
 variables:
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers2"
  SAST_EXCLUDED_PATHS: "spec, executables"
-  SAST_DEFAULT_ANALYZERS: "bandit, brakeman"
  SAST_EXCLUDED_ANALYZERS: "brakeman"
 stages:

--- a/spec/support/gitlab_stubs/gitlab_ci_for_sast_default_analyzers.yml
+++ b/spec/support/gitlab_stubs/gitlab_ci_for_sast_default_analyzers.yml
-include:
-  - template: SAST.gitlab-ci.yml
-variables:
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers2"
-  SAST_EXCLUDED_PATHS: "spec, executables"
-  SAST_DEFAULT_ANALYZERS: "bandit, gosec"
-stages:
-  - our_custom_security_stage
-sast:
-  stage:  our_custom_security_stage
-  variables:
-    SEARCH_MAX_DEPTH: 8
-    SAST_BRAKEMAN_LEVEL: 2
--- a/spec/support/shared_contexts/read_ci_configuration_shared_context.rb
+++ b/spec/support/shared_contexts/read_ci_configuration_shared_context.rb
@@ -5,10 +5,6 @@ RSpec.shared_context 'read ci configuration for sast enabled project' do
    File.read(Rails.root.join('spec/support/gitlab_stubs/gitlab_ci_for_sast.yml'))
  end
-  let_it_be(:gitlab_ci_yml_default_analyzers_content) do
-    File.read(Rails.root.join('spec/support/gitlab_stubs/gitlab_ci_for_sast_default_analyzers.yml'))
-  end
  let_it_be(:gitlab_ci_yml_excluded_analyzers_content) do
    File.read(Rails.root.join('spec/support/gitlab_stubs/gitlab_ci_for_sast_excluded_analyzers.yml'))
  end