Test DS_EXCLUDED_PATHS environment variable for Dependency Scanning
Problem to solve
Dependency Scanning can be configured with several environment variables and they are not all tested yet. The purpose of this issue is to add tests for the DS_EXCLUDED_PATHS
variable to the dependency scanning projects.
Intended users
groupcomposition analysis backend team member
Further details
Proposal
Expand for old proposal
Create a dedicated gitlab-org/security-products/tests/dependency-scanning
test project (it might slightly deviate from the guideline) and create several branches and scheduled pipelines to test environment variables.
E.g. !22172 (comment 263831062)
If you think better approaches are available, please feel free to experiment.
Variables to test:
SECURE_ANALYZERS_PREFIX
DS_EXCLUDED_PATHS
SECURE_LOG_LEVEL
Variable to skip:
-
DS_DISABLE_DIND
: this will be removed in %13.4 -
ADDITIONAL_CA_CERT_BUNDLE
is already tested specifically with https://gitlab.com/gitlab-org/security-products/tests/custom-ca
Add test for DS_EXCLUDED_PATHS
to the following analyzers:
The test should be based on one of the existing qa
tests and should configure the DS_EXCLUDED_PATHS
var to point to the lockfile used in the qa test and ensure that by excluding this file, the resulting vulnerability list in the resulting gl-dependency-scanning-report.json
is empty.
Permissions and Security
Documentation
Testing
As part of the fix/rewrite of the dependency scanning end to end test, and as part of increasing test coverage with test projects, the SET should look to improve test coverage of environment variables.
What does success look like, and how can we measure that?
Testing coverage for Dependency Scanning configurations is increased (ideally 100%).