Fix rules for MR pipelines

templates/sast.yml

@@ -207,6 +207,10 @@ nodejs-scan-sast:
 phpcs-security-audit-sast:
   extends: .deprecated-16.8
 
+.pmd-apex-exist-rules:
+  exists:
+    - '**/*.cls'
+
 pmd-apex-sast:
   extends: .sast-analyzer
   image:
@@ -214,9 +218,23 @@ pmd-apex-sast:
   rules:
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/'
       when: never
+
+    # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline*
+    # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3
+    # to cover both the *MR pipeline* and the *branch pipeline* workflows.
+
+    # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request.
+    - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
+          $CI_PIPELINE_SOURCE == "merge_request_event"'
+      exists: !reference [.pmd-apex-exist-rules, exists]
+    # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request.
+    - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
+          $CI_OPEN_MERGE_REQUESTS'
+      when: never
+    # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch).
     - if: $CI_COMMIT_BRANCH
-      exists:
+      exists: !reference [.pmd-apex-exist-rules, exists]
-        - '**/*.cls'
+
 
 security-code-scan-sast:
   extends: .sast-analyzer
@@ -236,6 +254,49 @@ semgrep-sast:
   rules:
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
       when: never
+
+    # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline*
+    # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3
+    # to cover both the *MR pipeline* and the *branch pipeline* workflows.
+
+    # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request.
+    # When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast
+    - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
+          $CI_PIPELINE_SOURCE == "merge_request_event" &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
+          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
+          "$[[ inputs.run_advanced_sast ]]" == "true" &&
+          "$[[ inputs.ff_glas_enable_php_support ]]" == "true"'
+      variables:
+        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php"
+      exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
+    # When gitlab-advanced-sast runs but PHP support is disabled, exclude files already scanned by gitlab-advanced-sast
+    - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
+          $CI_PIPELINE_SOURCE == "merge_request_event" &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
+          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
+          "$[[ inputs.run_advanced_sast ]]" == "true" &&
+          "$[[ inputs.ff_glas_enable_php_support ]]" != "true"' #TODO: Shouldnt this be disabled?
+      variables:
+        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
+      exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
+    # Fallback when advanced SAST covers everything
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
+          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
+          "$[[ inputs.run_advanced_sast ]]" == "true"'
+      when: never
+    # Default case - run for all supported files
+    - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
+          $CI_PIPELINE_SOURCE == "merge_request_event"'
+      exists: !reference [.semgrep-exist-rules, exists]
+
+    # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request.
+    - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
+          $CI_OPEN_MERGE_REQUESTS'
+      when: never
+
+    # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch).
     # When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast
     - if: '$CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
@@ -264,6 +325,10 @@ semgrep-sast:
     - if: $CI_COMMIT_BRANCH
       exists: !reference [.semgrep-exist-rules, exists]
 
+.sobelow-exist-rules:
+  exists:
+    - '**/mix.exs'
+
 sobelow-sast:
   extends: .sast-analyzer
   image:
@@ -271,9 +336,27 @@ sobelow-sast:
   rules:
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /sobelow/'
       when: never
+
+    # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline*
+    # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3
+    # to cover both the *MR pipeline* and the *branch pipeline* workflows.
+
+    # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request.
+    - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
+          $CI_PIPELINE_SOURCE == "merge_request_event"'
+      exists: !reference [.sobelow-exist-rules, exists]
+    # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request.
+    - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
+          $CI_OPEN_MERGE_REQUESTS'
+      when: never
+    # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch).
     - if: $CI_COMMIT_BRANCH
-      exists:
+      exists: !reference [.sobelow-exist-rules, exists]
-        - '**/mix.exs'
+
+
+.spotbugs-exist-rules:
+  exists:
+    - '**/*.groovy'
 
 spotbugs-sast:
   extends: .sast-analyzer
@@ -285,7 +368,20 @@ spotbugs-sast:
     - if: '"$[[ inputs.include_experimental ]]" == "true"'
       exists:
         - '**/AndroidManifest.xml'
+      when: never # TODO: Should this be never?
+
+    # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline*
+    # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3
+    # to cover both the *MR pipeline* and the *branch pipeline* workflows.
+
+    # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request.
+    - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
+          $CI_PIPELINE_SOURCE == "merge_request_event"'
+      exists: !reference [.spotbugs-exist-rules, exists]
+    # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request.
+    - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
+          $CI_OPEN_MERGE_REQUESTS'
       when: never
+    # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch).
     - if: $CI_COMMIT_BRANCH
-      exists:
+      exists: !reference [.spotbugs-exist-rules, exists]
-        - '**/*.groovy'