Move Secure test QA expectations from test projects to analyzers

Problem to solve

As discussed with #33724 (comment 314481785), we currently have an issue with circular dependencies where our devopssecure analyzers require updates and depend on a strict QA comparison to downstream test projects. To quote from the above comment, @fcatteau wrote:

To recap, I see two ways we can ease the pain:

A. change the CI configuration shared by the analyzer projects so that a MR isn't blocked when the generated report doesn't match the expected one, while still making sure the change is properly reviewed
B. move the expected reports to the analyzer projects, so that they are updated and reviewed in the MR where the behavior of the analyzer project is changed

A would be a smaller step for the Dependency Scanning projects, where QA using downstream pipelines has already been set up. That said, B is probably easier to set up in the SAST projects, which currently rely on embedded integration tests.
To me, ideally the expected reports should be with the analyzer projects (proposal B), so that they can be reviewed as the analyzer project changes. We would keep external test projects, ensuring we have realistic integration tests. If nothing else, I believe external test projects and downstream pipelines are the only way to test Auto DevOps integration. That said, this doesn't help with running QA jobs for MRs created by the community. See #118871 (closed) (closed) cc @ifrenkel

Intended users

Sasha (Software Developer)

User experience goal

Less developer pain in keeping our test projects up to date.

Proposal

Allow analyzers to store expectations for test projects within the analyzer project itself gitlab-org/security-products/ci-templates!84 (merged)
Update each SAST analyzer with its downstream expectations
Update each DS analyzer with its downstream expectations
Remove update QA jobs from QA templates, and from the test projects

Implementation Plan

For each analyzer project:

A. Move test report expectation into analyzer project
B. Specify report to downstream job via **_REPORT_URL within analyzer .gitlab-ci.yml (example)
C. Set **_REPORT_URL within test project .gitlab-ci.yml so default branch can continue to pass (for scheduled pipelines)

See example: gitlab-org/security-products/analyzers/secrets!59 (diffs)

SAST Analyzers

Analyzer	MR
bandit	gitlab-org/security-products/analyzers/bandit!41 (merged)
brakeman	gitlab-org/security-products/analyzers/brakeman!35 (merged)
ESLint	gitlab-org/security-products/analyzers/eslint!41 (merged)
Flawfinder	gitlab-org/security-products/analyzers/flawfinder!30 (merged)
Gosec	gitlab-org/security-products/analyzers/gosec!52 (merged) and gitlab-org/security-products/analyzers/gosec!61 (merged)
Kubesec	gitlab-org/security-products/analyzers/kubesec!33 (merged)
NodeJsScan	gitlab-org/security-products/analyzers/nodejs-scan!68 (merged)
phpcs-security-audit	gitlab-org/security-products/analyzers/phpcs-security-audit!34 (merged)
pmd	gitlab-org/security-products/analyzers/pmd-apex!19 (merged)
Security Code Scan	gitlab-org/security-products/analyzers/security-code-scan!43 (merged)
Secrets	gitlab-org/security-products/analyzers/secrets!59 (merged)
Sobelow	gitlab-org/security-products/analyzers/sobelow!33 (merged)
SpotBugs	gitlab-org/security-products/analyzers/spotbugs!53 (merged)

DS Analyzers

Analyzer	MR
gemnasium	gitlab-org/security-products/analyzers/gemnasium!122 (merged)
bundler-audit	gitlab-org/security-products/analyzers/bundler-audit!57 (merged)
retire.js	gitlab-org/security-products/analyzers/retire.js!54 (merged)
gemnasium-maven	gitlab-org/security-products/analyzers/gemnasium-maven!79 (merged)
gemnasium-python	gitlab-org/security-products/analyzers/gemnasium-python!71 (merged)

Test Projects

Test Project	SAST MR	DS MR
python-pip	gitlab-org/security-products/tests/python-pip!113 (merged)	gitlab-org/security-products/tests/python-pip!125 (merged)
python-pipenv	gitlab-org/security-products/tests/python-pipenv!46 (merged)	gitlab-org/security-products/tests/python-pipenv!56 (merged)
ruby-bundler-rails	gitlab-org/security-products/tests/ruby-bundler-rails!29 (merged)	n/a
js	gitlab-org/security-products/tests/js!16 (merged)	n/a
c	gitlab-org/security-products/tests/c!16 (merged)	n/a
cplusplus	gitlab-org/security-products/tests/cplusplus!11 (merged)	n/a
secrets	gitlab-org/security-products/tests/secrets!12 (merged)	n/a
go	gitlab-org/security-products/tests/go!26 (merged)	n/a
go-modules	gitlab-org/security-products/tests/go-modules!51 (merged)	gitlab-org/security-products/tests/go-modules!60 (merged)
big-node-js	gitlab-org/security-products/tests/big-node-js!7 (merged)	n/a
node-js-disable-babel	gitlab-org/security-products/tests/node-js-disable-babel!4 (merged)
php-composer	gitlab-org/security-products/tests/php-composer!49 (merged)	gitlab-org/security-products/tests/php-composer!56 (merged)
apex-salesforce	gitlab-org/security-products/tests/apex-salesforce!11 (merged)	n/a
csharp-dotnetcore-multiproject	gitlab-org/security-products/tests/csharp-dotnetcore-multiproject!9 (merged)	n/a
elixir-phoenix	gitlab-org/security-products/tests/elixir-phoenix!9 (merged)	n/a
java-maven	gitlab-org/security-products/tests/java-maven!112 (merged)	gitlab-org/security-products/tests/java-maven!123 (merged)
java-maven-multimodules	gitlab-org/security-products/tests/java-maven-multimodules!69 (merged)	gitlab-org/security-products/tests/java-maven-multimodules!77 (merged)
java-gradle	gitlab-org/security-products/tests/java-gradle!55 (merged)	gitlab-org/security-products/tests/java-gradle!64 (merged)
java-groovy	gitlab-org/security-products/tests/java-groovy!16 (merged)	n/a
scala-sbt	gitlab-org/security-products/tests/scala-sbt!38 (merged)	gitlab-org/security-products/tests/scala-sbt!47 (merged)
kubernetes	gitlab-org/security-products/tests/kubernetes!3 (merged)	n/a
ruby-bundler	n/a	gitlab-org/security-products/tests/ruby-bundler!1256 (merged)
js-npm	n/a	gitlab-org/security-products/tests/js-npm!13562 (merged)
js-npm	n/a	gitlab-org/security-products/tests/js-yarn!77 (merged)
csharp-nuget-dotnetcore	n/a	gitlab-org/security-products/tests/csharp-nuget-dotnetcore!32 (merged)
c-conan	n/a	gitlab-org/security-products/tests/c-conan!14 (merged)
java-gradle-kotlin-dsl	n/a	gitlab-org/security-products/tests/java-gradle-kotlin-dsl!14 (merged)
java-gradle-multimodules	n/a	gitlab-org/security-products/tests/java-gradle-multimodules!27 (merged)

Documentation

Document testing architecture in handbook, see related gitlab-com/www-gitlab-com!53874 (merged) (gitlab-com/www-gitlab-com!68391 (merged))
Update README of tests/common (gitlab-org/security-products/tests/common!24 (merged))

Edited Nov 25, 2020 by Igor Frenkel