Clean-up secure jobs config
What does this MR do and why?
Describe in detail what your merge request does and why.
-
allow_failure: true
is redefined for every job, but it's a the default already for all secure jobs in their respective templates. I couldn't find anything in the config that could set this tofalse
by default, so I think we can safely get rid of it. - The
gemnasium-maven-dependency_scanning
is triggered onmaster
, even though we don't have anything "java". The job fails silently. - The workaround for the
execa
vulnerability should be needed anymore, I don't see this vulnerability in https://gitlab.com/gitlab-org/gitlab/-/pipelines/387803884/?reportType=DEPENDENCY_SCANNING.
Some open questions too:
- Why do we need to keep a
GIT_DEPTH
of 20? (example in this job:Fetching changes with git depth set to 20...
). Shouldn't we keep that under 10 (at least for the secure jobs) according to https://docs.gitlab.com/ee/ci/large_repositories/index.html#shallow-cloning? - Pipelines are reporting multiple vulnerabilities, but nothing ends up in the Vulnerability Report.
-
https://gitlab.com/gitlab-org/gitlab/-/pipelines/387803884/?reportType=DEPENDENCY_SCANNING&reportType=SAST has 79
Detected
Dependency Scanning vulnerabilities, whereas https://gitlab.com/gitlab-org/gitlab/-/security/vulnerability_report/?scanner=GitLab.DEPENDENCY_SCANNING has only 1 - There's a
package-and-qa
job always failing in these pipelines, I wonder if it could prevent the parsing of the reports. If it's the case, this a very weak condition, and we should fix that.
-
https://gitlab.com/gitlab-org/gitlab/-/pipelines/387803884/?reportType=DEPENDENCY_SCANNING&reportType=SAST has 79
@rymai could you please take a look? thanks
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Philippe Lafoucrière