SAST tests: Creation of tests for SAST tasks

[jperezdealgaba]

Before you complete this pull request ...

Look for any open pull requests in the repository with the title "e2e-tests update" and
see if there are recent e2e-tests updates that will be applicable to your change.

[jperezdealgaba]

@kdudka Would you mind giving a preliminary review? There are a few discussions needed here

[jperezdealgaba]

@kdudka This is the repo that was used to test the original task (https://gitlab.cee.redhat.com/chhan/unicode_control_test). I moved it to GitHub as the tests couldn't resolve to the internal GitLab.
This is in my personal organization, I really think this should be moved to a more "professional" org if not choosing a different repository.

[kdudka]

@ralphbean Could we include the test data into https://github.com/konflux-ci/testrepo or another project in the konflux-ci GitHub namespace so that the tests do not depend on 3rd party repositories?

[ralphbean]

@avi-biton @yftacherzog and @gbenhaim, can I defer to you guys on @kdudka's question?

[yftacherzog]

I think it will make better sense to create another repo under https://github.com/konflux-ci instead.

[jperezdealgaba]

Sure. Who should be responsible for creating them?

[jperezdealgaba]

Maybe creating a single repo called sast-testing-examples for examples? We can later there store all sast-examples and have a very big note in the README.md saying that the repo contains insecure code.

cc/ @kdudka

[kdudka]

Sounds good. As for the name, I would start with the test- prefix, e.g. test-data-sast. In case other test repos need to be created later on, they would be visually separated from other repos (when sorted by names).

[jperezdealgaba]

@ralphbean @gbenhaim Any update on this?

[jperezdealgaba]

@ralphbean @gbenhaim Any comment on this?
Note: also pinging on slack

[ralphbean]

Done! Created and invited to https://github.com/konflux-ci/test-data-sast/settings/access

[kdudka]

/ok-to-test

[kdudka]

Code-wise looks fine to me.

[jperezdealgaba]

Another aspect to discuss is the fact that this repo doesn't exist. So the upload is never done. I understand that the upload process is outside of the scope of the function.
Do we want to upload the results?

[kdudka]

If we have a meaningful image-url that could be used for testing, it would increase the test coverage. If not, we can modify the task to skip the upload in case an empty string is provided as image-url, which is how the sast-snyk-check task worked initially.

[jperezdealgaba]

Just had a chat with the team:
"for this we need the quay push secrets ..and it will be again dependent on the story that we created for enabling of secrets https://issues.redhat.com/browse/STONEBLD-3196"

So it seems that until the secrets are not incorporated into the tests, we can not upload the results

[kdudka]

It would be nice to have the upload step covered, too. Yesterday I was fixing a regression in the upload step of the sast-coverity-check task, which was introduced by the Renovate bot: https://gitlab.cee.redhat.com/osh/cov-sa-container/-/merge_requests/63

Of course, it does not need to be part of this pull request, which is about creating some test coverage to begin with.

[kdudka]

/ok-to-test

[jperezdealgaba]

/ok-to-test

[jperezdealgaba]

@kdudka Would you mind retriggering this? There was a timeout

[kdudka]

/ok-to-test

[sfowl]

/ok-to-test

[sfowl]

/ok-to-test

[jperezdealgaba]

Tests passed and moved this out of Draft status

[sfowl]

/ok-to-test

[sfowl]

/ok-to-test

[jperezdealgaba]

/ok-to-test