Proposal : test Secure analyzer's project detection with unit tests.

Problem to solve

Following a discussion,

there is an absence of consensus about the necessity of an unit test for the Match function in Secure analyzers (SAST & Dependency scanning). Considering that an integration test (seems to) covers it.

Match unit test pros:

• More code coverage.
• Unit test serve as documentation too.
• Earlier fail, faster introduced bug fix by the developper.
• It is always possible that integration tests succeed where unit tests don't, leaving a bug in the code.

Cons:

• More code to maintain.
• Need to implement Matchtests for other analyzers, in the name of consistency.

(feel free to suggest more Pros & Cons)

Target audience

• Sasha, Software Developer, https://design.gitlab.com/research/personas#persona-sasha

Proposal

Reach a consensus and either:

• Don't add Match unit tests.
• Add them to all analyzers.
• Sacrifice consistency and let developers add them at their discretion.

What does success look like, and how can we measure that?

Consensus reached.

Links / references

gitlab-org/security-products/analyzers/eslint!1 (diffs)

gitlab-org/security-products/analyzers/eslint!2 (closed)