Skip to content

Fix DS latest template breaking when build job is declared after test stage

Nick Ilieskourequested to merge
523358_remove_needs into master

What does this MR do and why?

In !187135 (merged) we introduced Static Reachability in the latest DS template. After releasing we got reports of an edge case breaking the DS latest pipeline. More precisely the error is

image

in !187135 (merged) we introduced a needs dependency for dependency-scanning-with-reachability. This job should depend on gitlab-static-reachability and a build job that is required for the DS analyzer to perform a successful scan. The reason why the needs is required in the first place is to ensure that dependency-scanning-with-reachability runs only after gitlab-static-reachability. However insertion of needs means that dependency-scanning-with-reachability will not get any artifacts created by prior jobs. That was also the reason why we introduced an needs:optional dependency on the build job.

The problem occurs when a build job is declared after the test stage that dependency-scanning-with-reachability is executed. If that happens then the pipeline cannot be started since probably the yaml parser fails to create one.

Example of a .gitlab-ci.yml config that breaks the template 
stages:
  - test
  - build
  
include:
  - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
  
variables:
  DS_ENFORCE_NEW_ANALYZER: true
  DS_STATIC_REACHABILITY_ENABLED: false
  DS_PIPCOMPILE_REQUIREMENTS_FILE_NAME_PATTERN: "requirements-lock.txt"

build:
  stage: build
  image: "python:3.12"
  script:
    - pip install pip-tools
    - pip-compile requirements.txt -o requirements-lock.txt
  artifacts:
    when: on_success
    access: developer
    paths: ["**/requirements-lock.txt"]

So how do we solve the problem?

We remove the needs on the build job. In this way we:

  • ensure that this edge case described above is covered
  • that we won't get more problems with multiple jobs named build

We update the documentation instructions that in order to have Static Reachability enabled for Beta users needs to override the dependency-scanning-with-reachability job needs . This way they can choose the name of the build job.

Example of how someone would enable SR with this solution 
stages:
  - some_stage
  - test

include:
  - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml

variables:
  DS_ENFORCE_NEW_ANALYZER: true
  DS_STATIC_REACHABILITY_ENABLED: true
  DS_PIPCOMPILE_REQUIREMENTS_FILE_NAME_PATTERN: "requirements-lock.txt"

ds_with_reachability_build:
  stage: some_stage
  image: "python:3.12"
  script:
    - pip install pip-tools
    - pip-compile requirements.txt -o requirements-lock.txt
  artifacts:
    when: on_success
    access: developer
    paths: ["**/requirements-lock.txt"]


dependency-scanning-with-reachability:
  needs:
    - job: gitlab-static-reachability
      optional: true
      artifacts: true
      # For dependency scanning getting artifacts from build job
    - job: ds_with_reachability_build
      optional: true
      artifacts: true

With this MR we also remove support for Security Scan Policies since probably users won't be able to override dependency-scanning-with-reachability. On top of that SEP is not a real requirement for Static Reachability on beta.

References

#535664 (closed)

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Nick Ilieskou

Merge request reports