Fix SRA exclusion logic to match SBOM (!373) · Merge requests · GitLab.org / security-products / analyzers / Dependency Scanning

What does this MR do and why?

SBOM generation and Static Reachability Analysis had inconsistent path exclusion logic:

SBOM: Checked directory base names (e.g., "test" excluded src/test/)
SRA: Only used glob patterns (e.g., "test" didn't exclude src/test/, needed "**/test")

This caused test dependencies to be incorrectly marked as in_use when using simple exclusion patterns.

Solution:

Extracted IsDirIgnored() function to finder package for shared exclusion logic
Updated SRA's shouldExclude() to split paths and check each directory component
Both flows now consistently exclude directories by exact name at any nesting level

Changes:

New finder.IsDirIgnored() function with unit tests
SRA now splits paths and checks each component against ignored directory names
Added integration tests verifying exact name matching (not substring)
Updated test expectations to reflect corrected behavior

Result: DS_EXCLUDED_PATHS="test" now consistently excludes src/test/ in both SBOM and SRA, aligning behavior across the analyzer.

Manual testing - SRA exclusion with `src/test`:

Click to expand

With the old (existing) DS analyzer:

DS Semgrep module found 2 supported files to analyze
packages used in src\test are marked as in_use:

"components": [
    {
      "name": "pytest",
      "version": "7.4.0",
      "purl": "pkg:pypi/pytest@7.4.0",
      "type": "library",
      "bom-ref": "pkg:pypi/pytest@7.4.0",
      "properties": [
        {
          "name": "gitlab:dependency_scanning_component:reachability",
          "value": "in_use"
        }
      ]
    },
    {
      "name": "requests",
      "version": "2.31.0",
      "purl": "pkg:pypi/requests@2.31.0",
      "type": "library",
      "bom-ref": "pkg:pypi/requests@2.31.0",
      "properties": [
        {
          "name": "gitlab:dependency_scanning_component:reachability",
          "value": "in_use"
        }
      ]
    }
  ],

With the updated DS analzyzer

DS Semgrep module found 1 supported files to analyze
packages used in src\test are marked as not_found:

"components": [
    {
      "name": "pytest",
      "version": "7.4.0",
      "purl": "pkg:pypi/pytest@7.4.0",
      "type": "library",
      "bom-ref": "pkg:pypi/pytest@7.4.0",
      "properties": [
        {
          "name": "gitlab:dependency_scanning_component:reachability",
          "value": "not_found"
        }
      ]
    },
    {
      "name": "requests",
      "version": "2.31.0",
      "purl": "pkg:pypi/requests@2.31.0",
      "type": "library",
      "bom-ref": "pkg:pypi/requests@2.31.0",
      "properties": [
        {
          "name": "gitlab:dependency_scanning_component:reachability",
          "value": "in_use"
        }
      ]
    }
  ],

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Edited Oct 20, 2025 by Orin Naaman

Fix SRA exclusion logic to match SBOM