Secure SAST QA tests should work with SAST_EXCLUDED_PATHS
Description
The fix for #222789 (comment 364162752) was to unset SAST_EXCLUDED_PATHS
. The QA test projects for both bandit and spotbugs should instead work with the default value of SAST_EXCLUDED_PATHS
.
Proposal
Add vulnerabilities to be found in the downstream QA projects. All current vulnerabilities are excluded. We should make sure that we have vulnerabilities both excluded and included so that both sides of SAST_EXCLUDED_PATHS
are tested.
Tasks
-
Remove explicit value set for SAST_EXCLUDED_PATHS
in https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs/-/blob/master/.gitlab-ci.yml -
Remove explicit value set for SAST_EXCLUDED_PATHS
in https://gitlab.com/gitlab-org/security-products/analyzers/bandit/-/blob/master/.gitlab-ci.yml (once gitlab-org/security-products/analyzers/bandit!34 (merged) is merged) -
Update QA test projects to have vulnerabilities that aren't excluded and remove SAST_EXCLUDED_PATHS
override from test .gitlab-ci.yml files:-
Integration tests in spotbugs -
https://gitlab.com/gitlab-org/security-products/tests/java-maven -
https://gitlab.com/gitlab-org/security-products/tests/java-maven-multimodules -
https://gitlab.com/gitlab-org/security-products/tests/java-gradle -
https://gitlab.com/gitlab-org/security-products/tests/java-maven branch: maven-cli-opts-skip-tests-FREEZE
-
https://gitlab.com/gitlab-org/security-products/tests/java-groovy -
Integration tests in bandit -
https://gitlab.com/gitlab-org/security-products/tests/python-pip -
https://gitlab.com/gitlab-org/security-products/tests/python-pipenv
-
-
Update https://gitlab.com/gitlab-org/security-products/tests/scala-sbt to have examples that should be excluded.
Related Issues
Edited by Lucas Charles