Merge branch 'craigmsmith-disable-analyzers-replaced-by-semgrep' into 'main'

Disable analyzer replaced by semgrep

See merge request components/sast!8

.gitlab-ci.yml

@@ -3,12 +3,12 @@ include:
 
 stages: [test, release]
 
-ensure-brakeman-job-added:
+ensure-semgrep-job-added:
   image: badouralix/curl-jq
   script:
     - |
       route="$CI_API_V4_URL/projects/$CI_PROJECT_ID/pipelines/$CI_PIPELINE_ID/jobs"
-      count=`curl --silent $route | jq 'map(select(.name | contains("brakeman-sast"))) | length'`
+      count=`curl --silent $route | jq 'map(select(.name | contains("semgrep-sast"))) | length'`
       if [ "$count" != "1" ]; then
         exit 1
       fi

templates/sast.yml

@@ -34,19 +34,7 @@ spec:
     reports:
       sast: gl-sast-report.json
 
-brakeman-sast:
-  extends: .sast-analyzer
-  image:
-    name: "$[[ inputs.image_prefix ]]/brakeman:$[[ inputs.image_tag ]]"
-  rules:
-    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /brakeman/'
-      when: never
-    - if: $CI_COMMIT_BRANCH
-      exists:
-        - '**/*.rb'
-        - '**/Gemfile'
-
-flawfinder-sast:
+.deprecated-16.8:
   extends: .sast-analyzer
   script:
     - echo "This job was deprecated in GitLab 16.8 and removed in GitLab 17.0"
@@ -55,6 +43,13 @@ flawfinder-sast:
   rules:
     - when: never
 
+
+brakeman-sast:
+  extends: .deprecated-16.8
+
+flawfinder-sast:
+  extends: .deprecated-16.8
+
 kubesec-sast:
   extends: .sast-analyzer
   image:
@@ -64,52 +59,17 @@ kubesec-sast:
       when: never
     - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'
 
-.mobsf-sast:
-  extends: .sast-analyzer
-  image:
-    name: "$[[ inputs.image_prefix ]]/mobsf:$[[ inputs.image_tag ]]"
-
 mobsf-android-sast:
-  extends: .mobsf-sast
-  rules:
-    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
-      when: never
-    - if: '$CI_COMMIT_BRANCH && "$[[ inputs.include_experimental ]]" == "true"'
-      exists:
-        - '**/*.apk'
-        - '**/AndroidManifest.xml'
+  extends: .deprecated-16.8
 
 mobsf-ios-sast:
-  extends: .mobsf-sast
-  rules:
-    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
-      when: never
-    - if: '$CI_COMMIT_BRANCH && "$[[ inputs.include_experimental ]]" == "true"'
-      exists:
-        - '**/*.ipa'
-        - '**/*.xcodeproj/*'
+  extends: .deprecated-16.8
 
 nodejs-scan-sast:
-  extends: .sast-analyzer
-  image:
-    name: "$[[ inputs.image_prefix ]]/nodejs-scan:$[[ inputs.image_tag ]]"
-  rules:
-    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /nodejs-scan/'
-      when: never
-    - if: $CI_COMMIT_BRANCH
-      exists:
-        - '**/package.json'
+  extends: .deprecated-16.8
 
 phpcs-security-audit-sast:
-  extends: .sast-analyzer
-  image:
-    name: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$[[ inputs.image_tag ]]"
-  rules:
-    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /phpcs-security-audit/'
-      when: never
-    - if: $CI_COMMIT_BRANCH
-      exists:
-        - '**/*.php'
+  extends: .deprecated-16.8
 
 pmd-apex-sast:
   extends: .sast-analyzer
@@ -148,12 +108,22 @@ semgrep-sast:
         - '**/*.ts'
         - '**/*.tsx'
         - '**/*.c'
+        - '**/*.cc'
+        - '**/*.cpp'
+        - '**/*.c++'
+        - '**/*.cp'
+        - '**/*.cxx'
         - '**/*.go'
         - '**/*.java'
-        - '**/*.cs'
         - '**/*.html'
+        - '**/*.cs'
         - '**/*.scala'
         - '**/*.sc'
+        - '**/*.php'
+        - '**/*.swift'
+        - '**/*.m'
+        - '**/*.rb'
+        - '**/*.kt'
 
 sobelow-sast:
   extends: .sast-analyzer