Technical Discovery | Reapproach how we test custom CA certificate bundles for Static Analysis analyzers
Description
#212700 (closed) shows that https://gitlab.com/gitlab-org/security-products/tests/custom-ca is not a good way to test custom CA certificates support as it was passing for gosec even when it didn't work.
Proposal
We should revisit the drawing board with regards to how we're testing custom CA support.
Tasks
-
How should we test custom CA support? | #218840 (comment 696890013) -
Which projects need network support? ( 🚫 == no net needed |📡 == net needed)-
🚫 bandit | https://gitlab.com/dsearles/numpy/-/jobs/1650850723 -
🚫 brakeman | https://gitlab.com/dsearles/rails/-/jobs/1648670109 -
🚫 eslint | https://gitlab.com/dsearles/rails/-/jobs/1648670110 -
🚫 flawfinder | https://gitlab.com/dsearles/numpy/-/jobs/1650850725 -
📡 gosec | https://gitlab.com/dsearles/gitlab-runner/-/jobs/1648702796 -
🚫 kubesec | https://gitlab.com/dsearles/kubernetes-examples/-/jobs/1650915050 -
🚫 mobsf -
🚫 nodejs-scan | https://gitlab.com/dsearles/rails/-/jobs/1648670111 -
🚫 phpcs-security-audit | https://gitlab.com/dsearles/CodeIgniter4/-/jobs/1651554894 -
🚫 pmd-apex | https://gitlab.com/dsearles/apex-salesforce/-/jobs/1651596464 -
🚫 secrets | https://gitlab.com/dsearles/secrets/-/jobs/1651607494 -
📡 security-code-scan | https://gitlab.com/dsearles/dotnet5/-/jobs/1651683905 -
🚫 semgrep | https://gitlab.com/dsearles/rails/-/jobs/1648670112 -
🚫 sobelow | https://gitlab.com/dsearles/elixir-phoenix-realworld-example-app/-/jobs/1651739095 -
📡 spotbugs | (see #218840 (comment 695595372))
-
-
-
Create issues per analyzer to refactor custom CA tests. | Issues organized in &6850 -
Create issue to remove or deprecate https://gitlab.com/gitlab-org/security-products/tests/custom-ca and https://gitlab.com/gitlab-org/security-products/tests/custom-ca-ssl-server once we no longer use them. | #342555 (closed)
Related Issues
Edited by Daniel Paul Searles