Secure SAST QA tests should work with SAST_EXCLUDED_PATHS

Description

The fix for #222789 (comment 364162752) was to unset SAST_EXCLUDED_PATHS. The QA test projects for both bandit and spotbugs should instead work with the default value of SAST_EXCLUDED_PATHS.

Proposal

Add vulnerabilities to be found in the downstream QA projects. All current vulnerabilities are excluded. We should make sure that we have vulnerabilities both excluded and included so that both sides of SAST_EXCLUDED_PATHS are tested.

Tasks

• Remove explicit value set for SAST_EXCLUDED_PATHS in https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs/-/blob/master/.gitlab-ci.yml
• Remove explicit value set for SAST_EXCLUDED_PATHS in https://gitlab.com/gitlab-org/security-products/analyzers/bandit/-/blob/master/.gitlab-ci.yml (once gitlab-org/security-products/analyzers/bandit!34 (merged) is merged)
• Update QA test projects to have vulnerabilities that aren't excluded and remove SAST_EXCLUDED_PATHS override from test .gitlab-ci.yml files:
  • Integration tests in spotbugs
  • https://gitlab.com/gitlab-org/security-products/tests/java-maven
  • https://gitlab.com/gitlab-org/security-products/tests/java-maven-multimodules
  • https://gitlab.com/gitlab-org/security-products/tests/java-gradle
  • https://gitlab.com/gitlab-org/security-products/tests/java-maven branch: maven-cli-opts-skip-tests-FREEZE
  • https://gitlab.com/gitlab-org/security-products/tests/java-groovy
  • Integration tests in bandit
  • https://gitlab.com/gitlab-org/security-products/tests/python-pip
  • https://gitlab.com/gitlab-org/security-products/tests/python-pipenv
• Update https://gitlab.com/gitlab-org/security-products/tests/scala-sbt to have examples that should be excluded.

Related Issues

• #222789 (comment 364162752)