Add experimental support of SCA Static Reachability in the SAST.latest.yml CI

Niko Sokolikrequested to merge
feature/add_adv_sast_for_static_reachability_and_merger into master

What does this MR do and why?

In this MR I will use the gitlab advanced SAST's SCA feature to generate the SCA json for the project. Later on that json file will collected for analysis in the monolith and correlation with other SCA results like Gemnasium. It relates to this issue.

Feature overview

This feature is designed to enrich the SCA scanner results with the notion of which vulnerable packages are actually in use in the code - thus ranking as more critical. It does so in 4 separate steps:

  1. SCA scan of the code - for example, using Gemnasium or any other SCA scanner that generates a CDX result.
  2. Code scanning - this is done using GLAS with the --sca-output-path, which in turn uses the builtin SCA rules. These rules detect all import statements in the code
  3. Post build import to package matching - this step helps us translate the import statements to the libraries and packages that will be loaded in the user's container in runtime. This step helps us correlate libraries that are named differently when imported and installed (for example beautifulsoup4 when installed and bs4 when imported).
  4. Enriching the SCA results with the notion of which 3rd side packages are imported.

You can read more about the feature in the internal feature documentation. Also, a sample project that uses this CI can be found here.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
N/A image 
--- gl-sbom-pypi-pipenv.cdx-old.json	2024-09-12 05:08:09
+++ gl-sbom-pypi-pipenv.cdx-new.json	2024-09-12 05:10:24
@@ -95,7 +95,7 @@
       "properties": [
         {
           "name": "gitlab:dependency_scanning_component:reachability",
-          "value": "unknown"
+          "value": "in_use"
         }
       ]
     },
\ No newline at end of file
@@ -113,4 +113,4 @@
       ]
     }
   ]
-}
+}
\ No newline at end of file

How to set up and validate locally

  1. Import example project https://gitlab.com/gitlab-org/secure/tests/ci-components/python-static-reachability-example
  2. Set CI variables enabling GITLAB_ADVANCED_SAST_ENABLED=true and STATIC_REACHABILITY_ENABLED=true
  3. Run pipeline
  4. Inspect enriched CDX report
!
Edited by Lucas Charles

Merge request reports