Draft: Fix disabling and overriding rules with a remote custom ruleset
What does this MR do?
This fix is based on the work from @eurie in:
- Support remote custom configuration (report!80 - merged)
- Support remote custom config (ruleset!27 - merged)
- Support remote custom configs (command!50)
To allow using a remote custom ruleset when disabling or overriding rules similar to kics!102 by ensuring to set the correct ruleset and path when generating the gl-secret-detection-report.json
file.
Resolves gitlab-org/gitlab#425251.
Testing
Testing this locally requires to create a go workspace as outlined below.
- Check out the
fix-disabling-overriding-rules-with-remote-custom-ruleset
branch forsecrets
. - Create a
modules
folder in the cloned directory. - In the
modules
folder, clone the425730_eurie_remote_ruleset_not_applied_during_report_generation
branch forcommand
. -
Temporarily, see note below:
- Replace all occurrences of
ruleset/v2
withruleset/v3
in the clonedcommand
repository. - Replace all occurrences of
report/v4
withreport/v5
in the clonedcommand
repository.
- Replace all occurrences of
- In the top-level
secrets
directory initialize a new go workspace:go work init .
go work use modules/command
- Clone the test project into
qa/fixtures
:git@gitlab.com:gitlab-org/secure/tests/test-issue-425251/secret-detection.git
. - Run
analyzer-build && analyzer-debug qa/fixtures/secret-detection
. - In the debug container, export the following environment variables:
export GITLAB_FEATURES=sast_custom_rulesets
export SECRET_DETECTION_RULESET_GIT_REFERENCE=gitlab.com/gitlab-org/secure/tests/test-issue-425251/ruleset
- Run the analyzer:
/analyzer run
. - Verify that there are no results in the resulting
/tmp/app/gl-secret-detection-report.json
file.
Note: we are currently pointing to the latest version ruleset
and report
modules which include the required changes, so the steps above only require command
module to be added to the go workspace, but it has to point to correct versions too.
Demo
Demo was created with only ruleset
module updated to v3
.
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests updated/added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer