<!-- The first four sections: "Problem to solve", "Intended users", "User experience goal", and "Proposal", are strongly recommended, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution. --> ### Problem to solve <!-- What problem do we solve? Try to define the who/what/why of the opportunity as a user story. For example, "As a (who), I want (what), so I can (why/value)." --> Right now, if you want to avoid running one particular DS analyzer, you need to remove it from the long string of analyzers and use that to set the `DS_DEFAULT_ANALYZERS` somewhere in your project's CI template. And, if you do this, it excludes you from future new analyzers. This gotcha is not obvious. ### User experience goal <!-- What is the single user experience workflow this problem addresses? For example, "The user should be able to use the UI/API/.gitlab-ci.yml with GitLab to <perform a specific task>" https://about.gitlab.com/handbook/engineering/ux/ux-research-training/user-story-mapping/ --> It should be easier for a user to avoid running a particular analyzer without the risk of losing out on getting to use newly added analyzers. ### Proposal <!-- How are we going to solve the problem? Try to include the user journey! https://about.gitlab.com/handbook/journeys/#user-journey --> We could add a `DS_EXCLUDED_ANALYZERS` variable which would define the analyzers that the user wants to avoid running. Proposed Removal in %14.0 ### Implementation plan Step 1: add `DS_EXCLUDED_ANALYZERS` variable - [x] update Dependency Scanning template to add `DS_EXCLUDED_ANALYZERS`: https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml ^{[1](#footnotes)} - [x] update documentation of `DS_EXCLUDED_ANALYZERS` variable, indicate `DS_DEFAULT_ANALYZERS` is deprecated: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#available-variables Step 2: to be done after official deprecation (not in this issue): - update development templates to use `DS_EXCLUDED_ANALYZERS`: https://gitlab.com/gitlab-org/gitlab/-/issues/333582 - Remove `DS_DEFAULT_ANALYZERS`: See https://gitlab.com/gitlab-org/gitlab/-/issues/333299 #### Notes: 1. This must be added alongside `DS_DEFAULT_ANALYZERS` (i.e. not replacing the old variable) so as to not break existing user configurations. ### Further details Only the DS analyzers that are relevant for a project are ran, so this variable can be left blank and only the appropriate analyzers will run. <!-- Include use cases, benefits, goals, or any other details that will help us understand the problem better. --> ### Limitations ~~The current proposal would only work with Docker in Docker disabled, which is currently the default and will be the only way to run DS in the near future.~~ Docker in Docker is no longer supported, so the above is no longer a problem. ### Risks Removing/renaming `DS_DEFAULT_ANALYZERS` could have unintended consequences. Removing it would break QA is it works right now. ### Documentation <!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/workflow.html#for-a-product-change * Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements * If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html --> ## Timing The work should occur in 13.10 but not be default until as close to 14.0 as possible - if these both can coexist at the same time, great! We'll also probably want to make a backlog item specific to 15.0 for full removal ## Release Post this MUST be announced in 13.9-14.0 per policy * [x] 13.9 * [x] 13.10 * [ ] 13.11 [MR](https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/77402) * [ ] 13.12 [MR](https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/78890) * [ ] 14.0 [MR](https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/77404) ## Changelog * [ ] This MUST be announced in 14.0 changelog ## Blog post * [x] [unfiltered blog post](https://about.gitlab.com/blog/2021/02/08/composition-analysis-14-deprecations-and-removals/) ## Testing SET could add an end to end test such that the pipeline is checked before and after setting this in CI. ``` expect(pipeline).to have_job('dependency_scanning') # Set EXCLUDED expect(pipeline).not_to have_job('dependency_scanning') ```