Unable to exclude SpotBugs analyzer using SAST_EXCLUDED_ANALYZERS in SEP
Summary
One of our large customers has reported an issue with excluding spotbugs
scanning when utilizing the Scan Execution Policy (SEP). They've observed that the Static Application Security Testing (SAST) scans for the spotbugs
analyzer consistently fail, and they wish to exclude the spotbugs
analyzer from the pipeline.
However, despite adding the SAST_EXCLUDED_ANALYZERS
variable in the scan execution policy, the exclusion is not taking effect, and the spotbugs
security scan job continues to trigger.
Steps to reproduce
- Create new project and add some source code files to it (there shouldn't be any compiled code)
- Create a SEP and set the
SAST_EXCLUDED_ANALYZERS
to exclude thespotbugs
analyzer - Now make changes to the source code file and observe the pipeline (the
spotbugs
scan will run)
Example Project
What is the current bug behavior?
- Even when the variable
SAST_EXCLUDED_ANALYZERS
is set to excludespotbugs
analyzer in the SEP, the scan is still running in the pipeline
What is the expected correct behavior?
- Even when the variable
SAST_EXCLUDED_ANALYZERS
is set to excludespotbugs
analyzer in the SEP, the scan shouldn't run.
Possible fixes
-
backend Security::SecurityOrchestrationPolicies::CiConfigurationService
: inremove_rule_to_disable_job!
method do not remove rule with_EXCLUDED_ANALYZERS
pattern when Variable is provided in the policy,