Exclude qa sbom fixtures from dependency scanning
What does this MR do and why?
There are fixtures under several qa directories with gl-sbom*
artifacts. If not excluded, they will appear in the vulnerability report. This happens because of the artifacts:reports
rule in the Dependency Scanning template.
The change updates the base .ds-analyzer
job to remove the sboms in an after_script
.
Note I tested artifacts:exclude, but it doesn't seem to apply to artifacts:reports
.
Testing various approaches
The following project shows a working example with report removal:
- Test 1 using
artifacts:exclude
: pipeline's licenses tab error shows that all 3 reports (including the one in theexclude
list) were examined. - Test 2 using the
after_script
rm
: pipeline's licenses tab error shows only 2 reports.
You can also look at the pipelines
list to download the artifacts directly and verify them.
Related issue
This was initially spotted by @dcouture on slack: https://gitlab.slack.com/archives/CKWHYU7U2/p1729234019788899
How this was verified
I had to add a test file to trigger dependency scanning because scanning rules were not triggering DS for this MR.
- Dependency scanning without the
after_script
uploads 25 files: https://gitlab.com/gitlab-org/gitlab/-/jobs/8127102227 - Dependency scanning with
after_script
uploads 22 files: https://gitlab.com/gitlab-org/gitlab/-/jobs/8127178525
Downloading the artifacts archive for both jobs and unzipping into directories first
and second
:
└─[$] diff <(tree first) <(tree second)
1,6c1
< first
< ├── ee
< │ └── spec
< │ └── fixtures
< │ └── sbom
< │ └── gl-sbom-maven-maven.cdx.json
---
> second
45,52c40
< │ ├── gl-sbom-gem-bundler.cdx.json
< │ └── qa
< │ └── ee
< │ └── fixtures
< │ ├── dependency_scanning_fixtures
< │ │ └── gl-sbom-fake.cdx.json
< │ └── secure_sbom_files
< │ └── gl-sbom-npm-npm.cdx.json
---
> │ └── gl-sbom-gem-bundler.cdx.json
58c46
< 31 directories, 25 files
---
> 22 directories, 22 files
As can be seen, there is one file removed in ee/spec (this is something Olivier noted already) and 2 under qa/qa/ee/fixtures. gl-sbom-fake.cdx.json
is the one that was generating false positive in the original slack report. The other sbom was likely also generating some false positives. One way to tell the FPs is going through the "no longer detected" in the vuln report after merge.