Disable analyzer replaced by semgrep

2025-06-30 07:28:29 +02:00 · 2024-05-07 13:33:41 +00:00 · 2024-05-07 13:33:41 +00:00 · 4852fea0ce
commit 4852fea0ce
parent 036c14b9ed
2 changed files with 25 additions and 55 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -3,12 +3,12 @@ include:

 stages: [test, release]

-ensure-brakeman-job-added:
+ensure-semgrep-job-added:
  image: badouralix/curl-jq
  script:
    - |
      route="$CI_API_V4_URL/projects/$CI_PROJECT_ID/pipelines/$CI_PIPELINE_ID/jobs"
-      count=`curl --silent $route | jq 'map(select(.name | contains("brakeman-sast"))) | length'`
+      count=`curl --silent $route | jq 'map(select(.name | contains("semgrep-sast"))) | length'`
      if [ "$count" != "1" ]; then
        exit 1
      fi
--- a/templates/sast.yml
+++ b/templates/sast.yml
@ -34,19 +34,7 @@ spec:
    reports:
      sast: gl-sast-report.json

-brakeman-sast:
-  extends: .sast-analyzer
-  image:
-    name: "$[[ inputs.image_prefix ]]/brakeman:$[[ inputs.image_tag ]]"
-  rules:
-    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /brakeman/'
-      when: never
-    - if: $CI_COMMIT_BRANCH
-      exists:
-        - '**/*.rb'
-        - '**/Gemfile'
-
-flawfinder-sast:
+.deprecated-16.8:
  extends: .sast-analyzer
  script:
    - echo "This job was deprecated in GitLab 16.8 and removed in GitLab 17.0"
@ -55,6 +43,13 @@ flawfinder-sast:
  rules:
    - when: never

+
+brakeman-sast:
+  extends: .deprecated-16.8
+
+flawfinder-sast:
+  extends: .deprecated-16.8
+
 kubesec-sast:
  extends: .sast-analyzer
  image:
@ -64,52 +59,17 @@ kubesec-sast:
      when: never
    - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'

-.mobsf-sast:
-  extends: .sast-analyzer
-  image:
-    name: "$[[ inputs.image_prefix ]]/mobsf:$[[ inputs.image_tag ]]"
-
 mobsf-android-sast:
-  extends: .mobsf-sast
-  rules:
-    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
-      when: never
-    - if: '$CI_COMMIT_BRANCH && "$[[ inputs.include_experimental ]]" == "true"'
-      exists:
-        - '**/*.apk'
-        - '**/AndroidManifest.xml'
+  extends: .deprecated-16.8

 mobsf-ios-sast:
-  extends: .mobsf-sast
-  rules:
-    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
-      when: never
-    - if: '$CI_COMMIT_BRANCH && "$[[ inputs.include_experimental ]]" == "true"'
-      exists:
-        - '**/*.ipa'
-        - '**/*.xcodeproj/*'
+  extends: .deprecated-16.8

 nodejs-scan-sast:
-  extends: .sast-analyzer
-  image:
-    name: "$[[ inputs.image_prefix ]]/nodejs-scan:$[[ inputs.image_tag ]]"
-  rules:
-    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /nodejs-scan/'
-      when: never
-    - if: $CI_COMMIT_BRANCH
-      exists:
-        - '**/package.json'
+  extends: .deprecated-16.8

 phpcs-security-audit-sast:
-  extends: .sast-analyzer
-  image:
-    name: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$[[ inputs.image_tag ]]"
-  rules:
-    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /phpcs-security-audit/'
-      when: never
-    - if: $CI_COMMIT_BRANCH
-      exists:
-        - '**/*.php'
+  extends: .deprecated-16.8

 pmd-apex-sast:
  extends: .sast-analyzer
@ -148,12 +108,22 @@ semgrep-sast:
        - '**/*.ts'
        - '**/*.tsx'
        - '**/*.c'
+        - '**/*.cc'
+        - '**/*.cpp'
+        - '**/*.c++'
+        - '**/*.cp'
+        - '**/*.cxx'
        - '**/*.go'
        - '**/*.java'
-        - '**/*.cs'
        - '**/*.html'
+        - '**/*.cs'
        - '**/*.scala'
        - '**/*.sc'
+        - '**/*.php'
+        - '**/*.swift'
+        - '**/*.m'
+        - '**/*.rb'
+        - '**/*.kt'

 sobelow-sast:
  extends: .sast-analyzer