Dependency Scanning with no DinD mode conflicts with SAST

Summary

When working with a customer we discovered that turning off DinD for Dependency Scanning resulted in passed pipeline but no gl-sast-report.json file. In the log file you will see - \

Uploading artifacts... WARNING: gl-sast-report.json: no matching files
ERROR: No files to upload
Job succeeded

Steps to reproduce

I have been working with @ifrenkel, @theoretick and @gonzoyumo on this issue on Tue Dec 3, 2019. See my example/test project below and refer to MR mark.cesario/testing/test-removing-dind!1 and Pipeline #100341020 and the log for job "gemnasium-maven-dependency_scanning".

Example Project

This is the test project - https://gitlab.com/mark.cesario/testing/test-removing-dind.

Note: This is a Private project. Let me know who needs access and I will add them as members.

What is the current bug behavior?

DS job succeeds but the artifact fails and it never shows up in the MR.

What is the expected correct behavior?

I would expect the report would not fail and I would see the DS results in MR. Note, I see "Dependency scanning: Loading resulted in an error" in the MR. This doesn't seem like a reasonable error message.

(What you should see instead)

I would either like to see the DS report or an error message stating the job passed but the report failed for "x" reason.

Relevant logs and/or screenshots

Please see my test projects and MR mark.cesario/testing/test-removing-dind!1

Output of checks

This bug happens on GitLab.com.

Results of GitLab environment info

This happens on gitlab.com

Results of GitLab application Check

This happens on gitlab.com

Possible fixes

The fact that a Dependency Scanning job outputs gl-sast-report.json (which is the artifact filename for SAST) means that we have a collision in the job definition. Looking at the vendored template we can indeed see that both SAST and Dedependency Scanning are using a template job named .analyzer.

• https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml#L73
• https://gitlab.com/gitlab-org/gitlab/blob/415868f032d03ab6c7d1035fbf197c3598beb877/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml#L53

When the final .gitlab-ci.yml is built, only one .analyzer job will exist and be used to extend all other jobs, whether they are for SAST or Dependency Scanning.

To fix that we need to change the name of the template job .analyzer to add a prefix e.g. .sast-analyzer, .ds-analyzer.

/cc @gonzoyumo @ifrenkel @theoretick