debian-mirror-gitlab/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml

# To contribute improvements to CI/CD templates, please follow the Development guide at:
# https://docs.gitlab.com/ee/development/cicd/templates.html
# This specific template is located at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml

# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/
#
# Configure dependency scanning with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
# List of available variables: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#available-variables

variables:
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
  SECURE_ANALYZERS_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
  DS_EXCLUDED_ANALYZERS: ""
  DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
  DS_MAJOR_VERSION: 3
  DS_SCHEMA_MODEL: 15

dependency_scanning:
  stage: test
  script:
    - echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
    - exit 1
  artifacts:
    reports:
      dependency_scanning: gl-dependency-scanning-report.json
  dependencies: []
  rules:
    - when: never

.ds-analyzer:
  extends: dependency_scanning
  allow_failure: true
  variables:
    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
    # override the analyzer image with a custom value. This may be subject to change or
    # breakage across GitLab releases.
    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/$DS_ANALYZER_NAME:$DS_MAJOR_VERSION"
    # DS_ANALYZER_NAME is an undocumented variable used in job definitions
    # to inject the analyzer name in the image name.
    DS_ANALYZER_NAME: ""
  image:
    name: "$DS_ANALYZER_IMAGE$DS_IMAGE_SUFFIX"
  # `rules` must be overridden explicitly by each child job
  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
  script:
    - /analyzer run

.cyclonedx-reports:
  artifacts:
    paths:
      - "**/gl-sbom-*.cdx.json"
    reports:
      cyclonedx: "**/gl-sbom-*.cdx.json"

.gemnasium-shared-rule:
  exists:
    - '**/Gemfile.lock'
    - '**/composer.lock'
    - '**/gems.locked'
    - '**/go.sum'
    - '**/npm-shrinkwrap.json'
    - '**/package-lock.json'
    - '**/yarn.lock'
    - '**/pnpm-lock.yaml'
    - '**/packages.lock.json'
    - '**/conan.lock'

gemnasium-dependency_scanning:
  extends:
    - .ds-analyzer
    - .cyclonedx-reports
  variables:
    DS_ANALYZER_NAME: "gemnasium"
    GEMNASIUM_LIBRARY_SCAN_ENABLED: "true"
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED
      when: never
    - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $CI_GITLAB_FIPS_MODE == "true"
      exists: !reference [.gemnasium-shared-rule, exists]
      variables:
        DS_IMAGE_SUFFIX: "-fips"
        DS_REMEDIATE: "false"
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/
      exists: !reference [.gemnasium-shared-rule, exists]

.gemnasium-maven-shared-rule:
  exists:
    - '**/build.gradle'
    - '**/build.gradle.kts'
    - '**/build.sbt'
    - '**/pom.xml'

gemnasium-maven-dependency_scanning:
  extends:
    - .ds-analyzer
    - .cyclonedx-reports
  variables:
    DS_ANALYZER_NAME: "gemnasium-maven"
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED
      when: never
    - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-maven/
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $CI_GITLAB_FIPS_MODE == "true"
      exists: !reference [.gemnasium-maven-shared-rule, exists]
      variables:
        DS_IMAGE_SUFFIX: "-fips"
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/
      exists: !reference [.gemnasium-maven-shared-rule, exists]

.gemnasium-python-shared-rule:
  exists:
    - '**/requirements.txt'
    - '**/requirements.pip'
    - '**/Pipfile'
    - '**/requires.txt'
    - '**/setup.py'
    - '**/poetry.lock'

gemnasium-python-dependency_scanning:
  extends:
    - .ds-analyzer
    - .cyclonedx-reports
  variables:
    DS_ANALYZER_NAME: "gemnasium-python"
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED
      when: never
    - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $CI_GITLAB_FIPS_MODE == "true"
      exists: !reference [.gemnasium-python-shared-rule, exists]
      variables:
        DS_IMAGE_SUFFIX: "-fips"
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/
      exists: !reference [.gemnasium-python-shared-rule, exists]
    # Support passing of $PIP_REQUIREMENTS_FILE
    # See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $PIP_REQUIREMENTS_FILE &&
          $CI_GITLAB_FIPS_MODE == "true"
      variables:
        DS_IMAGE_SUFFIX: "-fips"
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
          $PIP_REQUIREMENTS_FILE

bundler-audit-dependency_scanning:
  extends: .ds-analyzer
  variables:
    DS_ANALYZER_NAME: "bundler-audit"
    DS_MAJOR_VERSION: 2
  script:
    - echo "This job was deprecated in GitLab 14.8 and removed in GitLab 15.0"
    - echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/347491"
    - exit 1
  rules:
    - when: never

retire-js-dependency_scanning:
  extends: .ds-analyzer
  variables:
    DS_ANALYZER_NAME: "retire.js"
    DS_MAJOR_VERSION: 2
  script:
    - echo "This job was deprecated in GitLab 14.8 and removed in GitLab 15.0"
    - echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/289830"
    - exit 1
  rules:
    - when: never