Test DS_EXCLUDED_PATHS environment variable for Dependency Scanning

Problem to solve

Dependency Scanning can be configured with several environment variables and they are not all tested yet. The purpose of this issue is to add tests for the DS_EXCLUDED_PATHS variable to the dependency scanning projects.

Intended users

groupcomposition analysis backend team member

Further details

Proposal

Expand for old proposal

Create a dedicated gitlab-org/security-products/tests/dependency-scanning test project (it might slightly deviate from the guideline) and create several branches and scheduled pipelines to test environment variables.

E.g. !22172 (comment 263831062)

If you think better approaches are available, please feel free to experiment.

Variables to test:

SECURE_ANALYZERS_PREFIX
DS_EXCLUDED_PATHS
SECURE_LOG_LEVEL

Variable to skip:

DS_DISABLE_DIND: this will be removed in %13.4
ADDITIONAL_CA_CERT_BUNDLE is already tested specifically with https://gitlab.com/gitlab-org/security-products/tests/custom-ca

Add test for DS_EXCLUDED_PATHS to the following analyzers:

The test should be based on one of the existing qa tests and should configure the DS_EXCLUDED_PATHS var to point to the lockfile used in the qa test and ensure that by excluding this file, the resulting vulnerability list in the resulting gl-dependency-scanning-report.json is empty.

Permissions and Security

Documentation

Testing

As part of the fix/rewrite of the dependency scanning end to end test, and as part of increasing test coverage with test projects, the SET should look to improve test coverage of environment variables.

What does success look like, and how can we measure that?

Testing coverage for Dependency Scanning configurations is increased (ideally 100%).

Links / references

Edited Dec 17, 2020 by Olivier Gonzalez