Dependency Scanning DS_DEFAULT_ANALYZERS: "gemnasium-maven" also creates a normal gemnasium job

Summary

Since %12.5 DS_DEFAULT_ANALYZERS: "gemnasium-maven" with DS_DISABLE_DIND: "true" also always creates a normal gemnasium-dependency_scanning job instead of only gemnasium-maven-dependency_scanning.

Steps to reproduce

A .gitlab-ci.yml:

include:
  - template: Dependency-Scanning.gitlab-ci.yml

variables:
  DS_DEFAULT_ANALYZERS: "gemnasium-maven"
  DS_DISABLE_DIND: "true"

In a maven project containing both java files and javascript (or ruby or php) files. (Which may be true for java web applications).

Example Project

https://gitlab.com/stendler/example-gemnasium-maven-analyzer

Pipeline: https://gitlab.com/stendler/example-gemnasium-maven-analyzer/pipelines/102385417/builds

What is the current bug behavior?

The pipeline creates two jobs:

gemnasium-dependency_scanning
gemnasium-maven-dependency_scanning

With gemnasium-dependency_scanning always failing in my case. (Probably because this is a maven and not a node project.)

What is the expected correct behavior?

Pipeline creates only one job:

gemnasium-maven-dependency_scanning

Possible fixes

Change the regex, that checks if $DS_DEFAULT_ANALYZERS contains the string gemnasium. E.g. it has to end after gemnasium or followed by a , or whitespace. Or rename any of these analyzers so that their names do not overlap.

Current code:

https://gitlab.com/gitlab-org/gitlab/-/blob/b885e992a6b24fd07f9af216f95b759bfed7ca78/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml#L91

  only:
    variables:
      - [...]
        $DS_DEFAULT_ANALYZERS =~ /gemnasium/ &&

Possible Fix:

  only:
    variables:
      - [...]
        $DS_DEFAULT_ANALYZERS =~ /gemnasium[^-]/ &&

This should ignore all possible cases containing gemnasium- like gemnasium-maven but should still catch gemnasium,gemnasium-maven, gemnasium,spotbugs etc.

Edited Dec 18, 2019 by Maximilian Stendler