Update the latest SAST Artifact URL across all Downstream Projects
Problem
After the recent migration to integration-test based approach for all SAST Analyzers, the folder structure qa/expect containing expected artifacts has changed in some of the Analyzer repositories. Since the scheduled QA jobs use the same set of artifacts to check against the scan results of downstream projects, it has caused some of the QA jobs to fail(ex).
Additionally, some downstream projects still refer to the unsupported analyzers artifact URL, ex: Go or JS downstream projects. Since the downstream projects' content rarely changes, the older artifacts worked fine.
Proposal
Update the artifact URL(SAST_REPORT_URL) in .gitlab-ci.yml in all the [downstream projects](downstream projects) pointing to the actual/latest report URL of respective analyzers.
Implementation Plan
Instead of checking for every analyzer's downstream projects, I've borrowed the list from the migration issue since the responsibilities have already been distributed. Some analyzers may not have changed qa/expect folder structure and their downstream projects might be pointing to the right artifact URL -- we can mark them as checked with the same indication.
-
Semgrep -
go and c downstream projects @theoretick -
js downstream projects @vbhat161 -
python downstream projects @vbhat161 -
java downstream projects @vbhat161 -
csharp downstream projects @zrice
-
-
Kics downstream projects : @willmeek (gitlab-org/security-products/tests/terraform!3 (merged), gitlab-org/security-products/tests/ansible!7 (merged), gitlab-org/security-products/tests/cloudformation!3 (merged)) -
brakeman downstream projects: @vbhat161 -
kubesec downstream projects : @arpitgogia -
mobsf downstream projects @vbhat161 -
phpcs-security-audit downstream projects -
pmd-apex downstream projects @rossfuhrman -
security-code-scan downstream projects -
sobelow downstream projects @rossfuhrman -
spotbugs downstream projects @vbhat161 -
secrets downstream projects @theoretick
Future Scope?
Post complete migration to integration-test, move the scheduled QA regression happening on the projects present in the qa/fixtures folder of each Analyzer. It can lead to a single source against which both, Integration and QA Regression tests run.
/cc @willmeek