Fail XRay scan if job does not have access to X Ray scan feature
Background
@poffey21 reported following issue:
There are permission that allows for XRay report to be generated, which are based on the parent namespace. So Mikołaj, shouldn’t your point 1 have not worked for me? I was coding in a “free” namespace with a user that has been granted Duo access in a non-free namespace?
Scenario:
- Free, Private Namespace (regrabneffop-tester-group / 82652045)
- User (regrabneffopt-tester / 5392086) that has been given an Ultimate License + Code Suggestions access within GitLab Learn Labs
- Project (needing-checked / 54986716) in that Free Namespace is using the User that has Code Suggestions access in a different namespace.
After inspecting attached X Ray scan CI job it is marked as successful despite GitLab API returning 401 responses.
What is more after inspecting what report was generated following was uncovered
#<Projects::XrayReport:0x00007fa9a3a7e960
id: 7498,
project_id: 54986716,
created_at: Thu, 15 Feb 2024 20:30:09.612014000 UTC +00:00,
updated_at: Thu, 15 Feb 2024 20:30:09.612014000 UTC +00:00,
lang: "python",
payload:
{"libs"=>[],
"checksum"=>
"57f8288a383db5f3b6d28c7fee8b3a09c9cfbe605abdbc6ee3a2e926234bc230",
"fileName"=>"requirements.txt",
"scannerVersion"=>"0.0.1"},
file_checksum:
"57f8288a383db5f3b6d28c7fee8b3a09c9cfbe605abdbc6ee3a2e926234bc230">]
Which indicates empty report was created. Such behaviour is confusing and suggest that some projects have access to X Ray feature where in fact they do not.
Goal
Fail X Ray scan job when that CI Job does not have access to X Ray feature, so end user receive clear message about what have just happened