SAST Individual <analyzer-name>-sast jobs for each analyzer doesn't exist when DinD is disable for Scala and groovy language detection
Summary
As per Disabling Docker in Docker for SAST documentation, individual -sast jobs for each analyzer should start in the CI/CD pipeline. However, the job doesn't exist when SAST_DISABLE_DIND: "true"
.
Steps to reproduce
- Enable SAST in project using SAST.gitlab-ci.yml template
- Disable DinD
- Start the pipeline and observe non-existing -sast jobs
Example Project
https://gitlab.com/gitlab-org/security-products/tests/scala-sbt/pipelines/104268667
The pipeline was triggered manually and SAST_DISABLE_DIND: "true"
was set manually.
What is the current bug behavior?
SAST individual analyzer jobs are not starting when SAST_DISABLE_DIND: "true"
.
What is the expected correct behavior?
The correct SAST analyzer jobs (by language) starts for the pipeline
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)
Output of checks
GitLab.com, GitLab Enterprise Edition 12.6.0-pre 87ae3a71
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)
Implementation Plan
-
Enable scanning of Scala and Groovy for spotbugs analyzer !27831 (merged) -
Dependency Scanning template should be updated to include Scala, as support for that was recently added - being addressed in !27457 (closed) -
Audit remaining analyzers to ensure we're not missing any other languages -
Update user documentation to be clear about what happens with SAST jobs in the pipeline