gitlab-advanced-sast-cpp: add to SAST CI/CD component
Problem to solve
A gitlab-advanced-sast-cpp job should be added to the SAST CI/CD component.
The job should only be triggered by the C and C++ extensions currently assigned to the semgrep analyzer.
Related
clangsa-sast: add to SAST CI/CD template (#533894 - closed) • Hua Yan • 18.6
Proposal
Since components can be versioned with a branch name, customers interested in C/C++ SAST scans willing to work with the experimental analyzer an reference a working template.
Plan
-
create test repository that includes code that will trigger findings -
add a job gitlab-advanced-sast-cpp, to the test repo pipeline based on theedgeimage-
when a compile_commands.jsonfile is present, check that the pipeline runs successfully, a report is generated and presented correctly -
when no compile_commands.jsonis present, verify the job fails but does not break the pipeline
-
-
create a branch of the SAST component including the job configuration -
see Add gitlab-advanced-sast-cpp analyzer (components/sast!29 - merged) • Hua Yan -
redirect C/C++ extensions to use gitlab-advanced-sast-cpp
-
-
update the test repository to use the component -
verify that a report is generated when compile_commands.jsonis present -
and that the job fails when compile_commands.jsonis omittted without breaking the pipeline
-
-
determine if/how to add the experimental analyzer to the default component branch. Enable with a variable? Disable other analyzer rules for C/C++ extensions?
Edited by Hua Yan