DS: Fix java reachability E2E tests
Overview
-
After migrating DS from the
latesttemplate tov2, static reachability e2e tests are failing in gson and spring-pet-clinic forks. -
It looks like both failures result from how static reachability handles test dependencies.
spring-pet-clinic
The v2 template changed DS_EXCLUDED_PATHS default from "test" to "**/test", which better excludes nested test directories like src/test.
This creates a discrepancy: lock files include test dependencies (they appear in SBOMs), but their source code is in excluded paths that semgrep never analyzes, resulting in not_found reachability status.
See related Slack thread (internal, 90 days retention).
Gson
The metrics module's SBOM shows test dependencies marked as not_found in v2, but were marked as in_use in latest.
Note: Previously, the sbom-comparison job only validated the root-level SBOM, which has 0 components. The test was ineffective. When we attempted to fix it to compare all module SBOMs (via MR), the sbom-comparison job failed with v2.
Next Steps
- Verify the failure root cause in each project
- Decide desired behavior as needed. For example: Should test deps in SBOMs be analyzed when their source is in excluded paths?
- Fix or update: Based on decision, either:
- Fix DS analyzer behavior
- Update E2E test expectations
- Document behavior