Cannot Run Before Script on Dependency Scanning

Problem to solve

When activating the SAST scanning policy, two Maven dependency scanners are initiated:

1. gemnasium-maven-dependency_scanning
2. gemnasium-maven-dependency-scanning-3

For the first scanner (gemnasium-maven-dependency_scanning), the before_script executes successfully, setting up the necessary Maven settings file using the custom script:

gemnasium-maven-dependency_scanning:
  before_script:
    - source <(curl -s https://some.url.com/mvn-create-settings.bash)

gemnasium-maven-dependency-scanning-3:
  before_script:
    - source <(curl -s https://some.url.com/mvn-create-settings.bash)

However, for the second scanner (gemnasium-maven-dependency-scanning-3), the before_script does not execute as expected . This results in the Maven settings file not being correctly configured, leading to the following error during execution:

No URL provided, cache will not be downloaded from shared cache server. Instead a local version of cache will be extracted.
Successfully extracted cache
Executing "step_script" stage of the job script
$ /analyzer run
Using java version 'adoptopenjdk-17.0.8+101'

Interestingly, if the before_script is defined at the top level, both scanners execute correctly. However, this approach is undesirable as it forces the before_script to run for all jobs, not just the dependency scanning jobs.

The goal is to ensure that the before_script runs correctly for both Maven dependency scanners without applying it to all jobs in the pipeline.

Steps to reproduce

• Configure SAST Scanning Policy:
• Activate the SAST scanning policy in your GitLab CI/CD pipeline.
• This activation initiates two Maven dependency scanners: gemnasium-maven-dependency_scanning and gemnasium-maven-dependency-scanning-3.
• Set Up before_script for Scanners:
• For gemnasium-maven-dependency_scanning, add the following before_script to generate the Maven settings file:

gemnasium-maven-dependency_scanning:
  before_script:
    - 'echo "Running job: |$CI_JOB_NAME|"'

• For gemnasium-maven-dependency-scanning-3, attempt to comment out the before_script and replace it with a comment:

gemnasium-maven-dependency-scanning-3:
  before_script:
     - 'echo "Running job: |$CI_JOB_NAME|"'

• Run the Pipeline:
• Execute the CI/CD pipeline and observe the behavior of both scanners.
• Notice that while the first scanner runs successfully, the second scanner fails due to the missing Maven settings configuration.
• Alternative Approach:
• Move the before_script to the top level of the CI configuration:

before_script:
  - 'echo "Running job: |$CI_JOB_NAME|"'

• Run the pipeline again to confirm that both scanners execute successfully.
• However, this approach applies the before_script to all jobs, which is not desirable.
• Expected Behavior:
• Both Maven dependency scanners should execute successfully with their respective configurations without requiring the before_script to be globally applied to all jobs.

Configuration

name: Scan Everything
description: We test to run all of the scanners by default to learn.
enabled: true
actions:
- scan: secret_detection
- scan: sast
- scan: container_scanning
- scan: container_scanning
- scan: dependency_scanning
rules:
- type: pipeline
branch_type: all
- type: schedule
cadence: 0 0 * * 6
branch_type: all
timezone: Europe/Stockholm
policy_scope:
projects:
excluding: []

Versions

Please check whether options apply, and add the version information.

• Self-managed
• GitLab.com SaaS
• Dedicated
• Self-hosted Runners

Versions

• GitLab (Web: /help or self-managed system information sudo gitlab-rake gitlab:env:info):
• GitLab Runner, if self-hosted (Web /admin/runners or CLI gitlab-runner --version):

Hi,
I have the same issue than you but with the default gemnasium-dependecy_scanning