Report changelog version in Go-based analyzers
Problem to solve
The GitLab Container Scanning tool currently outputs the latest version in the changelog when running a container scan:
[INFO] [klar] [2020-06-30T18:20:17+10:00] ▶ GitLab klar analyzer v2.4.7
By outputting the information during a scan, it makes it much easier to determine the exact version of the analyzer, which is extremely useful for bug reports.
The purpose of this issue is to add the latest changelog version to the app.Version field, and output this value for all Go-based analyzers.
See this discussion for more details
Additional Details
The following provides some supporting evidence to illustrate why this change would be useful
Example 1
While investigating the following issue, the end-user provided the output log from the failing container scanning job, which included the semantic version of the analyzer v2.4.8
, but did not include the SHA of the docker image of the analyzer, which would have required additional back and forth to request that this information be included in the output log.
Example 2
In the following tests/js-yarn
job, it's not possible to know exactly which version of the underlying retire.js
analyzer is used because the image SHA of the retire.js
analyzer is not output:
Unable to find image 'registry.gitlab.com/gitlab-org/security-products/dependency-scanning:2' locally
2: Pulling from gitlab-org/security-products/dependency-scanning
ce82f9486b57: Pulling fs layer
ce82f9486b57: Verifying Checksum
ce82f9486b57: Download complete
ce82f9486b57: Pull complete
Digest: sha256:29914ecaaa6a0387b7d0a679a6f5ee1cbe28211c3279cbdfaef6e1ace4b41516
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/dependency-scanning:2
2020/07/02 06:27:27 Copy project directory to containers
2020/07/02 06:27:27 [tmp] No detection plugin named
2020/07/02 06:27:27 [tmp] Downloading analyzer...
..........................................................2020/07/02 06:27:37 [tmp] Starting analyzer...
...
[INFO] [retire.js] [2020-07-02T06:27:41Z] ▶ Detecting project
[INFO] [retire.js] [2020-07-02T06:27:41Z] ▶ Found project in /tmp/app
[INFO] [retire.js] [2020-07-02T06:27:41Z] ▶ Running analyzer
However, if we insert the app.Version
value and output it in the retire.js
analyzer, then we can see exactly what version is being used, as shown in the following tests/js-yarn
log:
Unable to find image 'registry.gitlab.com/gitlab-org/security-products/dependency-scanning:2' locally
2: Pulling from gitlab-org/security-products/dependency-scanning
ce82f9486b57: Pulling fs layer
ce82f9486b57: Verifying Checksum
ce82f9486b57: Download complete
ce82f9486b57: Pull complete
Digest: sha256:29914ecaaa6a0387b7d0a679a6f5ee1cbe28211c3279cbdfaef6e1ace4b41516
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/dependency-scanning:2
2020/07/02 07:04:41 Copy project directory to containers
2020/07/02 07:04:41 [tmp] No detection plugin named
2020/07/02 07:04:41 [tmp] Downloading analyzer...
............................................................
2020/07/02 07:04:52 [tmp] Starting analyzer...
[INFO] [Retire.js] [2020-07-02T07:04:55Z] ▶ GitLab Retire.js analyzer v2.6.1
[INFO] [Retire.js] [2020-07-02T07:04:55Z] ▶ Detecting project
[INFO] [Retire.js] [2020-07-02T07:04:55Z] ▶ Found project in /tmp/app
[INFO] [Retire.js] [2020-07-02T07:04:55Z] ▶ Running analyzer
As shown above, we can easily determine the exact version of the retire.js
analyzer:
[INFO] [Retire.js] [2020-07-02T07:04:55Z] ▶ GitLab Retire.js analyzer v2.6.1
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- Rachel (Release Manager)
User experience goal
Version number will be output for all analyzers to make it more obvious which version a customer is using when submitting a bug report.
Proposal
-
Update the build stage of analyzer.yml to extract the latest version from the CHANGELOG.md
file and pass it as an argument to theldflags
parameter when building theanalyzer
binary:- CHANGELOG_VERSION=$(grep -m 1 '^## v.*$' "CHANGELOG.md" | sed 's/## v//') - PATH_TO_MODULE=`go list -m` - go build -ldflags="-X '$PATH_TO_MODULE/metadata.AnalyzerVersion=$CHANGELOG_VERSION'" -o ${CI_PROJECT_DIR}/analyzer
-
Add the above logic to the Dockerfile
for each analyzer that uses a separate binary build stage
Availability & Testing
Test to ensure that version number is output as expected
What does success look like, and how can we measure that?
Version number is output when running an analyzer
What is the type of buyer?
Is this a cross-stage feature?
Yes, this will affect groupcomposition analysis and groupstatic analysis