Enable Static Reachability in the latest DS template
Problem description
Currently we can enable static reachability by setting GITLAB_STATIC_REACHABILITY_ENABLED to true and including Jobs/SAST.latest.gitlab-ci.yml . This will introduce two jobs required for the static reachability:
-
gitlab-static-reachability: Providing reachability data -
gitlab-enrich-cdx-results: Combining the reports fromgitlab-static-reachabilityand DS SBOM to provide an SBOM report with reachability data.
Notice that the static-reachability feature depends on DS so including the template for DS is a requirement.
This approach is overcomplicating things since static reachability is a SCA feature. Moreover we want to avoid forcing static reachability to execute on test and .post stage since if user's don't have those stages things can break.
Proposal
Relates to #521587 (comment 2371511520). Introduce the SR related jobs in the latest DS template. Ideally extend the dependency-scanning job so that it calls the enrichment matcher in the same job.
As described in !182860 (comment 2394706816):
- All SR related jobs execute in the test stage.
- if SR is enabled (
GITLAB_STATIC_REACHABILITY_ENABLED=true) and we have a python project the SR job (red) runs first. - The DS job depends optionally on the SR job. That means if SR job runs then the DS job needs to wait for it.
- In the DS job we run the DS analyzer that will write one or more SBOm files.
- Once that is finished if the SR job has created a report and DS analyzer run successfully we run the sca-to-sarif-matcher. We don't need to make too many checks since if SR job has run then we know the enrichment job should run.
- The enrichment job will overwrite the SBOM files generated by the DS analyzer.
Note
- SR Job: This is the static-reachability job which calls GLAS for static reachability
- Enrichment job: This is the sca-to-sarif-matcher job that enriches the DS SBOM with static reachability data.