Skip to content

Draft: Skip Dependency Scanning for Gradle when FIPS mode enabled

Fabien Catteau requested to merge fips-disable-ds-gradle into master

What does this MR do and why?

When FIPS mode is enabled, do not trigger gemnasium-maven-dependency_scanning jobs for Java projects that only have Gradle build files. This is because the Gradle build task is incompatible with FIPS.

https://gitlab.com/gitlab-org/gitlab/-/issues/366772

Screenshots or screen recordings

In a branch of the Gradle project used for integration tests, and with the following CI config:

stages:
  - test
  - qa

include:
  # Security Products features
  - https://gitlab.com/gitlab-org/gitlab/-/raw/fips-disable-ds-gradle/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml

  # Security Products features QA
  - https://gitlab.com/gitlab-org/security-products/ci-templates/raw/master/includes-dev/qa-dependency_scanning.yml

gemnasium-maven-dependency_scanning-fips:
  extends: gemnasium-maven-dependency_scanning
  variables:
    CI_GITLAB_FIPS_MODE: "true"

gemnasium-maven-dependency_scanning (default mode) is triggered, but gemnasium-maven-dependency_scanning-fips (FIPS mode) is not, as expected.

Screenshot_2022-07-05_at_07.14.53

Links

How to set up and validate locally

On a GitLab instance where FIPS is enabled,

  1. Create a Gradle project.
  2. Include the Dependency Scanning CI template.
  3. Trigger a pipeline.

There should be no Dependency Scanning job in the project pipeline.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Fabien Catteau

Merge request reports

Loading