Merge branch 'mweston4-main-patch-1618' into 'main'

Allow Use of Pre-Compilation with SpotBugs Analyzer See merge request components/sast!28
Update file sast.yml
2025-06-29 23:18:28 +02:00 · 2025-06-03 20:42:56 +00:00 · 2025-06-03 20:42:53 +00:00 · 2025-06-03 20:29:51 +00:00 · 2025-06-03 20:23:29 +00:00 · 2025-06-03 20:00:48 +00:00
1 changed files with 30 additions and 24 deletions
--- a/templates/sast.yml
+++ b/templates/sast.yml
@ -21,15 +21,29 @@ spec:
      type: boolean
    include_experimental:
      default: 'false'
-    enable_mr_pipelines:
-      default: false
-      type: boolean
    ff_glas_enable_php_support:
      default: true
      type: boolean
+    use_precompiled_artifacts:
+      description: Identifies whether pre-compiled artifacts will be provided or if compilation is required.
+      default: false
+      type: boolean
+    sast_dependencies:
+      description: The dependant jobs to wait for before running SAST jobs.
+      default: []
+      type: array
+    runner_tags:
+      description: The tags to apply to SAST jobs so they can be picked up by an appropriate GitLab runner
+      default: []
+      type: array
+    sast_java_version:
+      description: The Java version used by the SAST analyzer
+      default: 21
+      type: integer
 ---
 .sast-analyzer:
  stage: $[[ inputs.stage ]]
+  tags: $[[ inputs.runner_tags ]]
  allow_failure: true
  # these variables are used by the analyzer
  # TODO: propagate inputs when breaking down into separate components
@ -38,6 +52,9 @@ spec:
    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
    DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
    SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS"
+    COMPILE: $[[ inputs.use_precompiled_artifacts ]]
+    SAST_JAVA_VERSION: $[[ inputs.sast_java_version | expand_vars ]]
+  dependencies: $[[ inputs.sast_dependencies ]]
  script:
    - /analyzer run
  artifacts:
@ -125,10 +142,6 @@ spec:
    - '**/application*.yaml'
    - '**/bootstrap*.yaml'

-.pmd-apex-exist-rules:
-  exists:
-    - '**/*.cls'
-
 gitlab-advanced-sast:
  extends: .sast-analyzer
  image:
@ -148,6 +161,9 @@ gitlab-advanced-sast:
      when: never
    - if: '"$[[ inputs.run_advanced_sast ]]" != "true"'
      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/
+      exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/
      exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
@ -165,6 +181,7 @@ kubesec-sast:
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/'
      when: never
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && "$[[ inputs.run_kubesec_sast ]]" == "true"'
    - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'

 mobsf-android-sast:
@ -186,23 +203,9 @@ pmd-apex-sast:
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/'
      when: never
-    
-    # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline*
-    # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3
-    # to cover both the *MR pipeline* and the *branch pipeline* workflows.
-
-    # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request.
-    - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
-          $CI_PIPELINE_SOURCE == "merge_request_event"'
-      exists: !reference [.pmd-apex-exist-rules, exists]
-
-   # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request.
-    - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
-          $CI_OPEN_MERGE_REQUESTS'
-      when: never
-    # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch).
    - if: $CI_COMMIT_BRANCH
-      exists: !reference [.pmd-apex-exist-rules, exists]
+      exists:
+        - '**/*.cls'

 security-code-scan-sast:
  extends: .sast-analyzer
@ -246,7 +249,9 @@ semgrep-sast:
          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
          "$[[ inputs.run_advanced_sast ]]" == "true"'
      when: never
-    # Default case - run for all supported files
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      exists: !reference [.semgrep-exist-rules, exists]
+      # Default case - run for all supported files
    - if: $CI_COMMIT_BRANCH
      exists: !reference [.semgrep-exist-rules, exists]

@ -272,6 +277,7 @@ spotbugs-sast:
      exists:
        - '**/AndroidManifest.xml'
      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.groovy'
Author	SHA1	Message	Date
Melissa Beldman	9ac9ee74a0	Merge branch 'mweston4-main-patch-1618' into 'main' Allow Use of Pre-Compilation with SpotBugs Analyzer See merge request components/sast!28	2025-06-03 20:42:56 +00:00
Melissa Beldman	cc19beb6b6	Update file sast.yml	2025-06-03 20:42:53 +00:00
Melissa Beldman	d5a228428c	Update file sast.yml	2025-06-03 20:29:51 +00:00
Melissa Beldman	0e94e97004	Update file sast.yml	2025-06-03 20:23:29 +00:00
Melissa Beldman	b9268c4f7c	Update file sast.yml	2025-06-03 20:00:48 +00:00
Melissa Beldman	0cee4e10b3	Update file sast.yml	2025-06-03 20:00:16 +00:00
Melissa Beldman	843eb13140	Update file sast.yml	2025-06-03 19:56:36 +00:00