From c06a78445cb21ecd046aa4bf14024d21818f05fc Mon Sep 17 00:00:00 2001 From: Melissa Beldman Date: Tue, 3 Jun 2025 16:25:47 +0000 Subject: [PATCH 1/8] Update file sast.yml --- templates/sast.yml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/templates/sast.yml b/templates/sast.yml index 64e7743..850aeb0 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -21,6 +21,9 @@ spec: type: boolean include_experimental: default: 'false' + enable_mr_pipelines: + default: false + type: boolean ff_glas_enable_php_support: default: true type: boolean @@ -122,6 +125,10 @@ spec: - '**/application*.yaml' - '**/bootstrap*.yaml' +.pmd-apex-exist-rules: + exists: + - '**/*.cls' + gitlab-advanced-sast: extends: .sast-analyzer image: @@ -179,9 +186,23 @@ pmd-apex-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/' when: never + + # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline* + # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3 + # to cover both the *MR pipeline* and the *branch pipeline* workflows. + + # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request. + - if: '$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_PIPELINE_SOURCE == "merge_request_event"' + exists: !reference [.pmd-apex-exist-rules, exists] + + # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_OPEN_MERGE_REQUESTS' + when: never + # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch). - if: $CI_COMMIT_BRANCH - exists: - - '**/*.cls' + exists: !reference [.pmd-apex-exist-rules, exists] security-code-scan-sast: extends: .sast-analyzer From 312da6bf5a8cb5ed1f674fbb9480a7094e3bca25 Mon Sep 17 00:00:00 2001 From: Melissa Beldman Date: Tue, 3 Jun 2025 16:52:05 +0000 Subject: [PATCH 2/8] Update file sast.yml --- templates/sast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/sast.yml b/templates/sast.yml index 850aeb0..d937e76 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -192,7 +192,7 @@ pmd-apex-sast: # to cover both the *MR pipeline* and the *branch pipeline* workflows. # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request. - - if: '$[[ inputs.enable_mr_pipelines ]]" == "true" && + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && $CI_PIPELINE_SOURCE == "merge_request_event"' exists: !reference [.pmd-apex-exist-rules, exists] From 843eb131404f4bd479f7ac5d96a5960ba198fd66 Mon Sep 17 00:00:00 2001 From: Melissa Beldman Date: Tue, 3 Jun 2025 19:56:36 +0000 Subject: [PATCH 3/8] Update file sast.yml --- templates/sast.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/templates/sast.yml b/templates/sast.yml index d937e76..c13cda9 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -21,12 +21,15 @@ spec: type: boolean include_experimental: default: 'false' - enable_mr_pipelines: - default: false - type: boolean ff_glas_enable_php_support: default: true type: boolean + use_precompiled_artifacts: + default: false + type: boolean + sast_dependencies: + default: [] + type: array --- .sast-analyzer: stage: $[[ inputs.stage ]] @@ -38,7 +41,9 @@ spec: SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]] SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS" - script: + COMPILE: $[[ inputs.use_precompiled_artifacts ]] + dependencies: $[[ inputs.spotbugs_dependencies ]] + script: - /analyzer run artifacts: access: 'developer' From 0cee4e10b38db2d410e0780c61fee6d94b766b0b Mon Sep 17 00:00:00 2001 From: Melissa Beldman Date: Tue, 3 Jun 2025 20:00:16 +0000 Subject: [PATCH 4/8] Update file sast.yml --- templates/sast.yml | 24 +++--------------------- 1 file changed, 3 insertions(+), 21 deletions(-) diff --git a/templates/sast.yml b/templates/sast.yml index c13cda9..8dc5437 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -43,7 +43,7 @@ spec: SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS" COMPILE: $[[ inputs.use_precompiled_artifacts ]] dependencies: $[[ inputs.spotbugs_dependencies ]] - script: + script: - /analyzer run artifacts: access: 'developer' @@ -130,10 +130,6 @@ spec: - '**/application*.yaml' - '**/bootstrap*.yaml' -.pmd-apex-exist-rules: - exists: - - '**/*.cls' - gitlab-advanced-sast: extends: .sast-analyzer image: @@ -191,23 +187,9 @@ pmd-apex-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/' when: never - - # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline* - # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3 - # to cover both the *MR pipeline* and the *branch pipeline* workflows. - - # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request. - - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && - $CI_PIPELINE_SOURCE == "merge_request_event"' - exists: !reference [.pmd-apex-exist-rules, exists] - - # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request. - - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && - $CI_OPEN_MERGE_REQUESTS' - when: never - # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch). - if: $CI_COMMIT_BRANCH - exists: !reference [.pmd-apex-exist-rules, exists] + exists: + - '**/*.cls' security-code-scan-sast: extends: .sast-analyzer From b9268c4f7cd0f249eda92a9d0a72bee2a99430ee Mon Sep 17 00:00:00 2001 From: Melissa Beldman Date: Tue, 3 Jun 2025 20:00:48 +0000 Subject: [PATCH 5/8] Update file sast.yml --- templates/sast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/sast.yml b/templates/sast.yml index 8dc5437..9d0c593 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -42,7 +42,7 @@ spec: DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]] SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS" COMPILE: $[[ inputs.use_precompiled_artifacts ]] - dependencies: $[[ inputs.spotbugs_dependencies ]] + dependencies: $[[ inputs.sast_dependencies ]] script: - /analyzer run artifacts: From 0e94e97004ea10e211c705f5c531e2344f7c7af4 Mon Sep 17 00:00:00 2001 From: Melissa Beldman Date: Tue, 3 Jun 2025 20:23:29 +0000 Subject: [PATCH 6/8] Update file sast.yml --- templates/sast.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/templates/sast.yml b/templates/sast.yml index 9d0c593..1ce1a90 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -149,6 +149,9 @@ gitlab-advanced-sast: when: never - if: '"$[[ inputs.run_advanced_sast ]]" != "true"' when: never + - if: $CI_PIPELINE_SOURCE == "merge_request_event" && + $GITLAB_FEATURES =~ /\bsast_advanced\b/ + exists: !reference [.gitlab-advanced-sast-exist-rules, exists] - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast_advanced\b/ exists: !reference [.gitlab-advanced-sast-exist-rules, exists] @@ -166,6 +169,7 @@ kubesec-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/' when: never + - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && "$[[ inputs.run_kubesec_sast ]]" == "true"' - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"' mobsf-android-sast: @@ -233,7 +237,9 @@ semgrep-sast: "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && "$[[ inputs.run_advanced_sast ]]" == "true"' when: never - # Default case - run for all supported files + - if: $CI_PIPELINE_SOURCE == "merge_request_event" + exists: !reference [.semgrep-exist-rules, exists] + # Default case - run for all supported files - if: $CI_COMMIT_BRANCH exists: !reference [.semgrep-exist-rules, exists] @@ -259,6 +265,7 @@ spotbugs-sast: exists: - '**/AndroidManifest.xml' when: never + - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_COMMIT_BRANCH exists: - '**/*.groovy' From d5a228428c0f218b8e5491a0efa4208a9877dbe3 Mon Sep 17 00:00:00 2001 From: Melissa Beldman Date: Tue, 3 Jun 2025 20:29:51 +0000 Subject: [PATCH 7/8] Update file sast.yml --- templates/sast.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/templates/sast.yml b/templates/sast.yml index 1ce1a90..b06ebc2 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -25,14 +25,21 @@ spec: default: true type: boolean use_precompiled_artifacts: + description: Identifies whether pre-compiled artifacts will be provided or if compilation is required. default: false type: boolean sast_dependencies: + description: The dependant jobs to wait for before running SAST jobs. + default: [] + type: array + runner_tags: + description: The tags to apply to SAST jobs so they can be picked up by an appropriate GitLab runner default: [] type: array --- .sast-analyzer: stage: $[[ inputs.stage ]] + tags: $[[ inputs.runner_tags ]] allow_failure: true # these variables are used by the analyzer # TODO: propagate inputs when breaking down into separate components From cc19beb6b6accc70093cea35021aafbf21ed30cf Mon Sep 17 00:00:00 2001 From: Melissa Beldman Date: Tue, 3 Jun 2025 20:42:53 +0000 Subject: [PATCH 8/8] Update file sast.yml --- templates/sast.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/templates/sast.yml b/templates/sast.yml index b06ebc2..01786b5 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -36,6 +36,10 @@ spec: description: The tags to apply to SAST jobs so they can be picked up by an appropriate GitLab runner default: [] type: array + sast_java_version: + description: The Java version used by the SAST analyzer + default: 21 + type: integer --- .sast-analyzer: stage: $[[ inputs.stage ]] @@ -49,6 +53,7 @@ spec: DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]] SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS" COMPILE: $[[ inputs.use_precompiled_artifacts ]] + SAST_JAVA_VERSION: $[[ inputs.sast_java_version | expand_vars ]] dependencies: $[[ inputs.sast_dependencies ]] script: - /analyzer run