.static-analysis-base:
  extends:
    - .default-retry
    - .default-before_script
  stage: lint
  needs: []
  variables:
    SETUP_DB: "false"
    ENABLE_SPRING: "1"
    # Disable warnings in browserslist which can break on backports
    # https://github.com/browserslist/browserslist/blob/a287ec6/node.js#L367-L384
    BROWSERSLIST_IGNORE_OLD_DATA: "true"
    GRAPHQL_SCHEMA_APOLLO_FILE: "tmp/tests/graphql/gitlab_schema_apollo.graphql"

update-static-analysis-cache:
  extends:
    - .static-analysis-base
    - .rubocop-job-cache-push
    - .shared:rules:update-cache
  stage: prepare
  script:
    # Silence cop offenses for rules with "grace period".
    # This will notify Slack if offenses were silenced.
    # For the moment we only cache `tmp/rubocop_cache` so we don't need to run all the tasks.
    - run_timed_command "fail_on_warnings bundle exec rake rubocop:check:graceful"

static-analysis:
  extends:
    - .static-analysis-base
    - .static-analysis-cache
    - .static-analysis:rules:static-analysis
  parallel: 2
  script:
    - yarn_install_script
    - fail_on_warnings scripts/static-analysis

static-verification-with-database:
  extends:
    - .static-analysis-base
    - .rubocop-job-cache
    - .static-analysis:rules:static-verification-with-database
    - .use-pg14
  script:
    - bundle exec rake lint:static_verification_with_database
  variables:
    SETUP_DB: "true"

generate-apollo-graphql-schema:
  extends:
    - .static-analysis-base
    - .frontend:rules:default-frontend-jobs
  image:
    name: ${REGISTRY_HOST}/${REGISTRY_GROUP}/gitlab-build-images:apollo
    entrypoint: [""]
  needs: ['graphql-schema-dump']
  variables:
    USE_BUNDLE_INSTALL: "false"
  script:
    - apollo client:download-schema --config=config/apollo.config.js ${GRAPHQL_SCHEMA_APOLLO_FILE}
  artifacts:
    expire_in: 30 days
    name: graphql-schema-apollo
    paths:
      - "${GRAPHQL_SCHEMA_APOLLO_FILE}"

eslint:
  extends:
    - .static-analysis-base
    - .yarn-cache
    - .frontend:rules:default-frontend-jobs
  needs: ['generate-apollo-graphql-schema']
  variables:
    USE_BUNDLE_INSTALL: "false"
  script:
    - yarn_install_script
    - run_timed_command "yarn run lint:eslint:all"

haml-lint:
  extends:
    - .static-analysis-base
    - .ruby-cache
    - .static-analysis:rules:haml-lint
  script:
    - run_timed_command "bundle exec haml-lint --parallel app/views"
  artifacts:
    expire_in: 31d
    when: always
    paths:
      - tmp/feature_flags/

haml-lint ee:
  extends:
    - "haml-lint"
    - .static-analysis:rules:haml-lint-ee
  script:
    - run_timed_command "bundle exec haml-lint --parallel ee/app/views"

rubocop:
  extends:
    - .static-analysis-base
    - .rubocop-job-cache
    - .static-analysis:rules:rubocop
  needs:
    - job: detect-tests
      optional: true
  variables:
    RUBOCOP_TARGET_FILES: "tmp/rubocop_target_files.txt"
  script:
    - |
      # For non-merge request, or when RUN_ALL_RUBOCOP is 'true', run all RuboCop rules
      if [ -z "${CI_MERGE_REQUEST_IID}" ] || [ "${RUN_ALL_RUBOCOP}" == "true" ]; then
        # Silence cop offenses for rules with "grace period".
        # We won't notify Slack if offenses were silenced to avoid frequent messages.
        # Job `update-static-analysis-cache` takes care of Slack notifications every 2 hours.
        unset CI_SLACK_WEBHOOK_URL
        run_timed_command "fail_on_warnings bundle exec rake rubocop:check:graceful"
      else
        select_existing_files < "${RSPEC_CHANGED_FILES_PATH}" > "${RUBOCOP_TARGET_FILES}"
        # Skip running RuboCop if there's no target files
        if [ -s "${RUBOCOP_TARGET_FILES}" ]; then
          run_timed_command "fail_on_warnings bundle exec rubocop --parallel --force-exclusion $(cat ${RUBOCOP_TARGET_FILES})"
        else
          echoinfo "Nothing interesting changed for RuboCop. Skipping."
        fi
      fi

qa:metadata-lint:
  extends:
    - .static-analysis-base
    - .static-analysis:rules:qa:metadata-lint
  before_script:
    - !reference [.default-before_script, before_script]
    - cd qa/
    - bundle_install_script
  script:
    - run_timed_command "bundle exec bin/qa Test::Instance::All http://localhost:3000 --test-metadata-only"
    - cd ..
    - run_timed_command "./scripts/qa/testcases-check qa/tmp/test-metadata.json"
    - run_timed_command "./scripts/qa/quarantine-types-check qa/tmp/test-metadata.json"
  variables:
    USE_BUNDLE_INSTALL: "false"
    SETUP_DB: "false"
    QA_EXPORT_TEST_METRICS: "false"
    # Disable warnings in browserslist which can break on backports
    # https://github.com/browserslist/browserslist/blob/a287ec6/node.js#L367-L384
    BROWSERSLIST_IGNORE_OLD_DATA: "true"
  artifacts:
    expire_in: 31d
    when: always
    paths:
      - qa/tmp/

feature-flags-usage:
  extends:
    - .static-analysis-base
    - .rubocop-job-cache
    - .static-analysis:rules:rubocop
  script:
    # We need to disable the cache for this cop since it creates files under tmp/feature_flags/*.used,
    # the cache would prevent these files from being created.
    - run_timed_command "fail_on_warnings bundle exec rubocop --only Gitlab/MarkUsedFeatureFlags --cache false"
  artifacts:
    expire_in: 31d
    when: always
    paths:
      - tmp/feature_flags/

semgrep-appsec-custom-rules:
  stage: lint
  extends:
    - .semgrep-appsec-custom-rules:rules
  image: returntocorp/semgrep
  needs: []
  script:
    # Required to avoid a timeout https://github.com/returntocorp/semgrep/issues/5395
    - git fetch origin master
    - git clone $CUSTOM_RULES_REPOSITORY "${CI_BUILDS_DIR}/sast-custom-rules"
    # Include/exclude list isn't ideal https://github.com/returntocorp/semgrep/issues/5399
    - |
      semgrep ci --gitlab-sast --metrics off --config "${CI_BUILDS_DIR}/sast-custom-rules" \
        --include app --include lib --include workhorse \
        --exclude '*_test.go' --exclude spec --exclude qa --exclude tooling > gl-sast-report.json || true
  variables:
    CUSTOM_RULES_REPOSITORY: https://gitlab.com/gitlab-com/gl-security/appsec/sast-custom-rules.git
  artifacts:
    expire_in: 30 days
    paths:
      - gl-sast-report.json

ping-appsec-for-sast-findings:
  stage: lint
  image: alpine:latest
  extends:
    - .ping-appsec-for-sast-findings:rules
  variables:
    # Project Access Token bot ID for /gitlab-com/gl-security/appsec/sast-custom-rules
    BOT_USER_ID: 14406065
  needs:
    - semgrep-appsec-custom-rules
  script:
    - apk add jq curl
    - scripts/process_custom_semgrep_results.sh

trigger-depsaster:
  extends: .static-analysis:rules:trigger-depsaster
  stage: lint
  variables:
    MERGE_REQUEST_PROJECT_ID: $CI_MERGE_REQUEST_PROJECT_ID
    MERGE_REQUEST_IID: $CI_MERGE_REQUEST_IID
  trigger:
    project: "gitlab-com/gl-security/appsec/tooling/depsaster"
  allow_failure: true

ping-appsec-for-dependency-review:
  stage: lint
  needs: []
  variables:
    GIT_CHECKOUT: "false"
    DISABLE_MENTIONS: "false"
    DISABLE_SCORING: "true"
    DISABLE_COMMENTING: "false"
    DEPENDENCY_REVIEW_BOT_CI_REG: "${CI_REGISTRY}/gitlab-com/gl-security/appsec/tooling/depscore/master"
  extends: [".ping-appsec-for-dependency-review:rules", ".use-docker-in-docker"]
  before_script:
    - apk add jq curl
    - DEPENDENCY_REVIEW_BOT_UNAME=$(curl --header "PRIVATE-TOKEN:$DEPENDENCY_REVIEW_PAT" "https://gitlab.com/api/v4/user" | jq -r '.username')
    - echo "$DEPENDENCY_REVIEW_PAT" | docker login --password-stdin -u "$DEPENDENCY_REVIEW_BOT_UNAME" -- "$DEPENDENCY_REVIEW_BOT_CI_REG"
  script:
    - docker run --interactive --rm "$DEPENDENCY_REVIEW_BOT_CI_REG:latest" -t "$DEPENDENCY_REVIEW_PAT" -p "$CI_PROJECT_ID" -m "$CI_MERGE_REQUEST_IID" -s "$DISABLE_SCORING" -a "$DISABLE_MENTIONS" -c "$DISABLE_COMMENTING"
  allow_failure: true