Skip to content

Exclude qa sbom fixtures from dependency scanning

Igor Frenkel requested to merge ifrenkel/dependency-scanning-exclude-fixtures into master

What does this MR do and why?

There are fixtures under several qa directories with gl-sbom* artifacts. If not excluded, they will appear in the vulnerability report. This happens because of the artifacts:reports rule in the Dependency Scanning template.

The change updates the base .ds-analyzer job to remove the sboms in an after_script.

Note I tested artifacts:exclude, but it doesn't seem to apply to artifacts:reports.

Testing various approaches

The following project shows a working example with report removal:

  • Test 1 using artifacts:exclude: pipeline's licenses tab error shows that all 3 reports (including the one in the exclude list) were examined.
  • Test 2 using the after_script rm: pipeline's licenses tab error shows only 2 reports.

You can also look at the pipelines list to download the artifacts directly and verify them.

Related issue

This was initially spotted by @dcouture on slack: https://gitlab.slack.com/archives/CKWHYU7U2/p1729234019788899

How this was verified

I had to add a test file to trigger dependency scanning because scanning rules were not triggering DS for this MR.

  1. Dependency scanning without the after_script uploads 25 files: https://gitlab.com/gitlab-org/gitlab/-/jobs/8127102227
  2. Dependency scanning with after_script uploads 22 files: https://gitlab.com/gitlab-org/gitlab/-/jobs/8127178525

Downloading the artifacts archive for both jobs and unzipping into directories first and second:

└─[$] diff <(tree first) <(tree second)                                                                                                                          
1,6c1
< first
< ├── ee
< │   └── spec
< │       └── fixtures
< │           └── sbom
< │               └── gl-sbom-maven-maven.cdx.json
---
> second
45,52c40
< │   ├── gl-sbom-gem-bundler.cdx.json
< │   └── qa
< │       └── ee
< │           └── fixtures
< │               ├── dependency_scanning_fixtures
< │               │   └── gl-sbom-fake.cdx.json
< │               └── secure_sbom_files
< │                   └── gl-sbom-npm-npm.cdx.json
---
> │   └── gl-sbom-gem-bundler.cdx.json
58c46
< 31 directories, 25 files
---
> 22 directories, 22 files

As can be seen, there is one file removed in ee/spec (this is something Olivier noted already) and 2 under qa/qa/ee/fixtures. gl-sbom-fake.cdx.json is the one that was generating false positive in the original slack report. The other sbom was likely also generating some false positives. One way to tell the FPs is going through the "no longer detected" in the vuln report after merge.

Edited by Igor Frenkel

Merge request reports