ci: Update report jobs with latest from templates and run upon changes

Signed-off-by: Rémy Coutable <remy@rymai.me>

ci: Update report jobs with latest from templates and run upon changes
Signed-off-by: Rémy Coutable <remy@rymai.me>
bf05abda · Rémy Coutable · d1fa774b · bf05abda · bf05abda
Commit bf05abda authored Sep 30, 2021 by Rémy Coutable
Show whitespace changes
Inline Side-by-side

Showing with 66 additions and 33 deletions

.gitlab/ci/reports.gitlab-ci.yml .gitlab/ci/reports.gitlab-ci.yml +13 -12

.gitlab/ci/rules.gitlab-ci.yml .gitlab/ci/rules.gitlab-ci.yml +53 -21

No files found.
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
 include:
  - template: Jobs/Code-Quality.gitlab-ci.yml
-  - template: Security/SAST.gitlab-ci.yml
-  - template: Security/Secret-Detection.gitlab-ci.yml
+  - template: Jobs/SAST.gitlab-ci.yml
+  - template: Jobs/Secret-Detection.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/License-Scanning.gitlab-ci.yml

@@ -30,13 +30,13 @@ code_quality:
    SAST_EXCLUDED_ANALYZERS: bandit, flawfinder, phpcs-security-audit, pmd-apex, security-code-scan, spotbugs, eslint

 brakeman-sast:
-  rules: !reference [".reports:rules:sast", rules]
+  rules: !reference [".reports:rules:brakeman-sast", rules]

 nodejs-scan-sast:
-  rules: !reference [".reports:rules:sast", rules]
+  rules: !reference [".reports:rules:nodejs-scan-sast", rules]

 semgrep-sast:
-  rules: !reference [".reports:rules:sast", rules]
+  rules: !reference [".reports:rules:semgrep-sast", rules]

 gosec-sast:
  variables:
@@ -52,7 +52,7 @@ gosec-sast:
  cache:
    paths:
      - vendor/go
-  rules: !reference [".reports:rules:sast", rules]
+  rules: !reference [".reports:rules:gosec-sast", rules]

 .secret-analyzer:
  extends: .default-retry
@@ -101,8 +101,7 @@ gemnasium-python-dependency_scanning:
 # Analyze dependencies for malicious behavior
 # See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
 .package_hunter-base:
-  extends:
-    - .default-retry
+  extends: .default-retry
  stage: test
  image:
    name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:1.1.0
@@ -116,6 +115,8 @@ gemnasium-python-dependency_scanning:
  before_script:
    - rm -r spec locale .git app/assets/images doc/
    - cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
+  script:
+    - node /usr/src/app/cli.js analyze --format gitlab --manager ${PACKAGE_MANAGER} gitlab.tgz | tee ${CI_PROJECT_DIR}/gl-dependency-scanning-report.json
  artifacts:
    paths:
      - gl-dependency-scanning-report.json
@@ -127,15 +128,15 @@ package_hunter-yarn:
  extends:
    - .package_hunter-base
    - .reports:rules:package_hunter-yarn
-  script:
-    - node /usr/src/app/cli.js analyze --format gitlab --manager yarn gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
+  variables:
+    PACKAGE_MANAGER: yarn

 package_hunter-bundler:
  extends:
    - .package_hunter-base
    - .reports:rules:package_hunter-bundler
-  script:
-    - node /usr/src/app/cli.js analyze --format gitlab --manager bundler gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
+  variables:
+    PACKAGE_MANAGER: bundler

 license_scanning:
  extends: .default-retry

--- a/.gitlab/ci/rules.gitlab-ci.yml
+++ b/.gitlab/ci/rules.gitlab-ci.yml
@@ -1194,53 +1194,86 @@
      changes: *code-backstage-patterns
      allow_failure: true

-.reports:rules:sast:
+.reports:rules:brakeman-sast:
  rules:
-    - if: '$SAST_DISABLED || $GITLAB_FEATURES !~ /\bsast\b/'
+    - if: $SAST_DISABLED
      when: never
-    - <<: *if-default-refs
-      changes: *code-backstage-qa-patterns
+    - if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/
+      when: never
+    - changes:
+        - '**/*.rb'
+        - '**/Gemfile'
+      allow_failure: true
+
+.reports:rules:nodejs-scan-sast:
+  rules:
+    - if: $SAST_DISABLED
+      when: never
+    - if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/
+      when: never
+    - changes:
+        - '**/package.json'
+      allow_failure: true
+
+.reports:rules:gosec-sast:
+  rules:
+    - if: $SAST_DISABLED
+      when: never
+    - if: $SAST_EXCLUDED_ANALYZERS =~ /gosec/
+      when: never
+    - changes:
+        - '**/*.go'
+      allow_failure: true
+
+.reports:rules:semgrep-sast:
+  rules:
+    - if: $SAST_DISABLED
+      when: never
+    - if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
+      when: never
+    - changes:
+        - '**/*.py'
+        - '**/*.js'
+        - '**/*.jsx'
+        - '**/*.ts'
+        - '**/*.tsx'
+        - '**/*.c'
+        - '**/*.go'
      allow_failure: true

 .reports:rules:secret_detection:
  rules:
    - if: '$SECRET_DETECTION_DISABLED'
      when: never
-    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'  # The Secret-Detection template already has a `secret_detection_default_branch` job
-      when: never
    - changes: *code-backstage-qa-patterns
      allow_failure: true

 .reports:rules:gemnasium-dependency_scanning:
  rules:
-    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/'
+    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/ || $DS_DEFAULT_ANALYZERS !~ /gemnasium([^-]|$)/'
      when: never
-    - <<: *if-default-refs
-      changes: *dependency-patterns
+    - changes: *dependency-patterns
      allow_failure: true

 .reports:rules:bundler-audit-dependency_scanning:
  rules:
-    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/'
+    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/ || $DS_DEFAULT_ANALYZERS !~ /bundler-audit/'
      when: never
-    - <<: *if-default-refs
-      changes: *bundler-patterns
+    - changes: *bundler-patterns
      allow_failure: true

 .reports:rules:retire-js-dependency_scanning:
  rules:
-    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /retire.js/'
+    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /retire.js/ || $DS_DEFAULT_ANALYZERS !~ /retire.js/'
      when: never
-    - <<: *if-default-refs
-      changes: *nodejs-patterns
+    - changes: *nodejs-patterns
      allow_failure: true

 .reports:rules:gemnasium-python-dependency_scanning:
  rules:
-    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/'
+    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/ || $DS_DEFAULT_ANALYZERS !~ /gemnasium-python/'
      when: never
-    - <<: *if-default-refs
-      changes: *python-patterns
+    - changes: *python-patterns
      allow_failure: true

 .reports:rules:dast:
@@ -1280,10 +1313,9 @@

 .reports:rules:license_scanning:
  rules:
-    - if: '$LICENSE_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\blicense_scanning\b/'
+    - if: '$LICENSE_MANAGEMENT_DISABLED || $GITLAB_FEATURES !~ /\blicense_scanning\b/'
      when: never
-    - <<: *if-default-refs
-      changes: *code-backstage-qa-patterns
+    - changes: *code-backstage-qa-patterns
      allow_failure: true

 ################