Merge branch 'mweston4-main-patch-1618' into 'main'

Allow Use of Pre-Compilation with SpotBugs Analyzer

See merge request components/sast!28

templates/sast.yml

@@ -24,9 +24,26 @@ spec:
     ff_glas_enable_php_support:
       default: true
       type: boolean
+    use_precompiled_artifacts:
+      description: Identifies whether pre-compiled artifacts will be provided or if compilation is required.
+      default: false
+      type: boolean
+    sast_dependencies:
+      description: The dependant jobs to wait for before running SAST jobs.
+      default: []
+      type: array
+    runner_tags:
+      description: The tags to apply to SAST jobs so they can be picked up by an appropriate GitLab runner
+      default: []
+      type: array
+    sast_java_version:
+      description: The Java version used by the SAST analyzer
+      default: 21
+      type: integer
 ---
 .sast-analyzer:
   stage: $[[ inputs.stage ]]
+  tags: $[[ inputs.runner_tags ]]
   allow_failure: true
   # these variables are used by the analyzer
   # TODO: propagate inputs when breaking down into separate components
@@ -35,6 +52,9 @@ spec:
     SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
     DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
     SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS"
+    COMPILE: $[[ inputs.use_precompiled_artifacts ]]
+    SAST_JAVA_VERSION: $[[ inputs.sast_java_version | expand_vars ]]
+  dependencies: $[[ inputs.sast_dependencies ]]
   script:
     - /analyzer run
   artifacts:
@@ -141,6 +161,9 @@ gitlab-advanced-sast:
       when: never
     - if: '"$[[ inputs.run_advanced_sast ]]" != "true"'
       when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/
+      exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bsast_advanced\b/
       exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
@@ -158,6 +181,7 @@ kubesec-sast:
   rules:
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/'
       when: never
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && "$[[ inputs.run_kubesec_sast ]]" == "true"'
     - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'
 
 mobsf-android-sast:
@@ -225,7 +249,9 @@ semgrep-sast:
           "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
           "$[[ inputs.run_advanced_sast ]]" == "true"'
       when: never
-    # Default case - run for all supported files
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      exists: !reference [.semgrep-exist-rules, exists]
+      # Default case - run for all supported files
     - if: $CI_COMMIT_BRANCH
       exists: !reference [.semgrep-exist-rules, exists]
 
@@ -251,6 +277,7 @@ spotbugs-sast:
       exists:
         - '**/AndroidManifest.xml'
       when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
     - if: $CI_COMMIT_BRANCH
       exists:
         - '**/*.groovy'