SAST analyzers with `AnalyzeAll` set must implement `SEARCH_IGNORED_DIRS` / `--ignored-dirs`

The code that provides the --ignore-dirs flag and corresponding SEARCH_IGNORED_DIRS environment variable is in the common module and is easily skipped when the AnalyzeAll option, from the command modules, is set to true.

The ignore-dirs flag is defined in common/flags.go, used while walking directories, when called e.g. as search.New(...).Run(...).

Which is the only way that the run subcommand, defined in command, invokes it.

But notice that the returned matchPath is not used if AnalyzeAll is true.

If AnalyzeAll is true, the root is analyzed, where root comes from target-dir / ANALYZER_TARGET_DIR / CI_PROJECT_DIR. If the analyzer should ignore directories, the Analyze callback must implement it.

Related Issues

• Spotbugs analyzer - exclude dirs not working as... (#432708 - closed) • Unassigned • Backlog

Duplicate issues with a different solution

The proposal in this issue was abandoned in the previous discussion because, at the time, there were more analyzers and the change would have been intensive. Rather than filter beforehand, SAST_EXCLUDED_PATHS was introduced to filter results after analysis.

Having consolidated analyzers, it now seems possible to filter before scanning.

• Ignore some directories not working when analyz... (#6726 - closed) • Fabien Catteau • 11.11
• Exclude dirs from SAST, Dependency Scanning ana... (#10030 - closed) • Fabien Catteau • 11.11

Supported analyzers potentially affected (as of 17.0)

• pmd-apex
• semgrep
• spotbugs
• GitLab Advanced SAST

Implementation Plan

• pmd-apex - create a file containing the ignore-dirs list and reference that file in the pmd command line option ignore-list here.

• semgrep - append ignore-dirs to the semgrep command line options exclude here.

  This was already implemented in Pass SAST_EXCLUDED_PATHS as semgrep exclude flags (gitlab-org/security-products/analyzers/semgrep!47 - merged) • Daniel Paul Searles • 14.0.

• spotbugs - test for and skip directories that are in ignore-dirs here.

• Gitlab Advanced SAST - TBD. include with handling of sast-excluded-paths?

  This was already implemented in Pass SAST_EXCLUDED_PATHS as semgrep exclude flags (gitlab-org/security-products/analyzers/semgrep!47 - merged) • Daniel Paul Searles • 14.0.