Add nested file detection for Dependency Scanning

b3063d8a · Igor Frenkel · Rémy Coutable · f35bf8cb · b3063d8a · b3063d8a
Commit b3063d8a authored May 18, 2020 by Igor Frenkel Committed by Rémy Coutable May 18, 2020
3 changed files
--- a/changelogs/unreleased/fix-nested-search-for-matching-ds-files.yml
+++ b/changelogs/unreleased/fix-nested-search-for-matching-ds-files.yml
+---
+title: Add nested file detection for Dependency Scanning
+merge_request: 31932
+author:
+type: fixed
--- a/ee/spec/lib/gitlab/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb
@@ -78,8 +78,40 @@ describe 'Dependency-Scanning.gitlab-ci.yml' do
          end

          with_them do
-            it 'creates a pipeline with the expected jobs' do
-              expect(build_names).to include(*include_build_names)
+            let(:project) { create(:project, :custom_repo, files: files_at_depth_x) }
+
+            context 'with file at root' do
+              let(:files_at_depth_x) { files }
+
+              it 'creates a pipeline with the expected jobs' do
+                expect(build_names).to include(*include_build_names)
+              end
+            end
+
+            context 'with file at depth 1' do
+              # prepend a directory to files (e.g. convert go.sum to foo/go.sum)
+              let(:files_at_depth_x) {  Hash[files.map { |k, v| ["foo/#{k}", v]}] }
+
+              it 'creates a pipeline with the expected jobs' do
+                expect(build_names).to include(*include_build_names)
+              end
+            end
+
+            context 'with file at depth 2' do
+              # prepend a directory to files (e.g. convert go.sum to foo/bar/go.sum)
+              let(:files_at_depth_x) {  Hash[files.map { |k, v| ["foo/bar/#{k}", v]}] }
+
+              it 'creates a pipeline with the expected jobs' do
+                expect(build_names).to include(*include_build_names)
+              end
+            end
+
+            context 'with file at depth > 2' do
+              let(:files_at_depth_x) {  Hash[files.map { |k, v| ["foo/bar/baz/#{k}", v]}] }
+
+              it 'includes no job' do
+                expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
+              end
            end
          end
        end

--- a/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
@@ -105,13 +105,13 @@ gemnasium-dependency_scanning:
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/
      exists:
-        - 'Gemfile.lock'
-        - 'composer.lock'
-        - 'gems.locked'
-        - 'go.sum'
-        - 'npm-shrinkwrap.json'
-        - 'package-lock.json'
-        - 'yarn.lock'
+        - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
+        - '{composer.lock,*/composer.lock,*/*/composer.lock}'
+        - '{gems.locked,*/gems.locked,*/*/gems.locked}'
+        - '{go.sum,*/go.sum,*/*/go.sum}'
+        - '{npm-shrinkwrap.json,*/npm-shrinkwrap.json,*/*/npm-shrinkwrap.json}'
+        - '{package-lock.json,*/package-lock.json,*/*/package-lock.json}'
+        - '{yarn.lock,*/yarn.lock,*/*/yarn.lock}'

 gemnasium-maven-dependency_scanning:
  extends: .ds-analyzer
@@ -124,9 +124,9 @@ gemnasium-maven-dependency_scanning:
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/
      exists:
-        - 'build.gradle'
-        - 'build.sbt'
-        - 'pom.xml'
+        - '{build.gradle,*/build.gradle,*/*/build.gradle}'
+        - '{build.sbt,*/build.sbt,*/*/build.sbt}'
+        - '{pom.xml,*/pom.xml,*/*/pom.xml}'

 gemnasium-python-dependency_scanning:
  extends: .ds-analyzer
@@ -139,11 +139,11 @@ gemnasium-python-dependency_scanning:
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
      exists:
-        - 'requirements.txt'
-        - 'requirements.pip'
-        - 'Pipfile'
-        - 'requires.txt'
-        - 'setup.py'
+        - '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
+        - '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
+        - '{Pipfile,*/Pipfile,*/*/Pipfile}'
+        - '{requires.txt,*/requires.txt,*/*/requires.txt}'
+        - '{setup.py,*/setup.py,*/*/setup.py}'
      # Support passing of $PIP_REQUIREMENTS_FILE
      # See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
    - if: $CI_COMMIT_BRANCH &&
@@ -162,7 +162,7 @@ bundler-audit-dependency_scanning:
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $DS_DEFAULT_ANALYZERS =~ /bundler-audit/
      exists:
-        - 'Gemfile.lock'
+        - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'

 retire-js-dependency_scanning:
  extends: .ds-analyzer
@@ -175,4 +175,4 @@ retire-js-dependency_scanning:
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $DS_DEFAULT_ANALYZERS =~ /retire.js/
      exists:
-        - 'package.json'
+        - '{package.json,*/package.json,*/*/package.json}'