Adding Incremental Scanning to our common library to tackle the standalone use-case for our analyzers

This idea has already been discussed in the past in various issues including Support incremental scans for SAST.

At the moment all the scanners as well as the back-end code is based on the assumption that we run complete scans (considering all relevant files in the repository). However, to narrow the focus, we can differentiate between (1) the general/integrated setup where vulnerabilities are managed by means of the Vulnerability Report and (2) cases where our scanners are used standalone. An example for a standalone use-case can be found here.

Proposal

Enhance our common library with two features that are disabled by default and that can be enabled by means of env variables.

1. Git Pre-filter: filter the files that are impacted (source branch<>target branch) and run the analysis exclusively on the impacted files.
2. Git Post-filter: generate two reports, the standard report that contains all findings, and a second report that only contains only the findings that are impacted in the context of an MR. The original report could then be forwarded to the backend and the filtered one could be used to inform other tools we run in the context of an MR.

The advantage of tackling this problem on the analyzers first is that we can already use it for standalone use-cases like the one mentioned above and we make a first move towards integrating incremental analysis as a general feature to tackling the first general/integrated use-case.

added Documentation guidelines GitLab Free GitLab Premium GitLab Ultimate devopssecure featureaddition groupvulnerability research sectionsec typefeature labels

/cc @gitlab-org/secure/vulnerability-research @gitlab-org/secure/static-analysis-be @dcouture

changed the description

changed the description

I think incremental scanning is a wonderful idea. We should strive for only scanning what needs to be scanned.

Extending common to include some git utilities would be nice for Secret Detection if we follow through with #350573 (closed). That issue proposes we move some of the logic that determines what commits should be scanned from the vendored template into the analyzer. That logic could be implemented by using the common library loaded with some git utilities.

We should strive for only scanning what needs to be scanned.

... and displaying only what was found for that scan, I would think.

changed milestone to %14.9

assigned to @julianthome

changed title from Adding Incremental Scanning to our common library to tackle the standalone use-case for our analyers to Adding Incremental Scanning to our common library to tackle the standalone use-case for our analyzers

changed milestone to %14.10

mentioned in merge request gitlab-org/security-products/analyzers/command!26 (closed)

changed milestone to %15.0

added missed:14.10 label

changed milestone to %15.1

added missed:15.0 label

changed milestone to %15.2

added missed:15.1 label

changed milestone to %15.3

added missed:15.2 label

This is planned for 15.3, but has missed milestones since 15.0 or earlier. Removing the milestone as it is unlikely we are targeting 15.3 for this.

If this is not accurate, please add the 15.3 milestone back

removed milestone %15.3

changed milestone to %Backlog

Assigned the backlog milestone so this doesn't continue to get caught up in the weekly triage report.

unassigned @julianthome

Closing this as it has become stale and is probably outdated by now.

closed