Move static reachability to DS template and apply Beta changes (!182860) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Currently we can enable static reachability (SR) by setting GITLAB_STATIC_REACHABILITY_ENABLED to true and including Jobs/SAST.latest.gitlab-ci.yml . This will introduce two jobs required for the static reachability:

gitlab-static-reachability: Providing reachability data
gitlab-enrich-cdx-results: Combining the reports from gitlab-static-reachability and DS SBOM to provide an SBOM report with reachability data.

Notice that the static-reachability feature depends on DS so including the template for DS is a requirement. This approach is overcomplicating things since static reachability is a SCA feature and hence it should be located in Jobs/Dependency-Scanning.latest.gitlab-ci.yml.

In this MR we delete everything related to static reachability from the SAST latest template and we move it to the DS latest template. Moreover we:

Get rid of the .post job for enriching the sbom with static reachability data. This was needed since it could cause a SBOM ingestion race. That means that we are not sure which SBOM report would be ingested first. The one from DS job (no SR data) or the one from the .post job (containing SR data).
Moved the enrichment .post job (SCA-to-sarif-matcher analyzer) into the DS analyzer.
The SR enrichment process runs only in combination with the new DS analyzer and if GITLAB_STATIC_REACHABILITY_ENABLED is set to true. It depends on a successful run of the gitlab-static-reachability job. Notice that for experimental SR was running only with Gemnasium.
The DS jobs depends optionally on the gitlab-static-reachability job. That means that if that job is present the DS job will wait until it is completed to proceed. This is required since the enrichment part of the DS job depends on the artifact of gitlab-static-reachability .
We also updated the SCA-to-sarif-matcher to the latest version v2.0.1 which does not require a docker image of the code built by the user. This was one of the main issues that we tried to fix in SR beta.

Below you can see how the SR is implemented in the template:

Note

This implementation depends on this MR that adds curl in the new DS analyzer image. This is needed in order to download the SCA-to-sarif-matcher binary.

References

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before

Before this change SR was being enabled by including the latest SAST template in combination with the DS template (latest or stable). As you can see in the image below by enabling SR the jobs that were required were:

gemnasium-dependency_scanning for DS
gitlab-static-reachability for running GLAS for SR
a build job for building the docker image with the code which would be used in the .post job
gitlab-enrich-cdx-results job which was a .post job for enriching the SBOM reports. This job was running the SCA-to-sarif-matcher in the docker image built by the build job.

Tip

Please ignore the gitlab-advanced-sast job from the picture above.

After

With this MR we only need the latest DS template to enable SR. When we do that we will get 2 jobs in the test stage:

gitlab-static-reachability : which is GLAS for SR
dependency-scanning: which runs the new DS analyzer and then the SCA-to-sarif-matcher . Notice that this job waits until gitlab-static-reachability is finished.

How was this feature tested

We tested this feature using this test project: SR-template-test

In this project we are using this DS latest template to trigger the DS and SR jobs. Notice that DS_SR.gitlab-ci.yml in the test project is a copy of the latest DS template in this MR. The main difference is overwriting the DS analyzer image so that I use a version that curl is available.

Edited Mar 26, 2025 by Nick Ilieskou

Move static reachability to DS template and apply Beta changes