Introduce a new artifact file type called `security_findings`
Why are we doing this work
We will start validating the report artifacts but we don't want to break the ingestion process for the existing security-related ci jobs. Therefore, we want to introduce a new artifact type called security_findings to be validated in the future.
Relevant links
- Related issue: #34654 (closed)
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing: -
When schema doesn't validate, do not ingest the report and fail the job (note: allow_failuredefaults to True in security scan jobs so the pipeline itself won't fail)
-
Implementation plan
-
Introduce a new artifact type called security_findingsby adding it to the list of secure related artifacts inEE::Ci::JobArtifact::SECURITY_REPORT_FILE_TYPES
Technical notes
We need to change the design of EE::Ci::Build#collect_security_reports! as it is currently relying on the file type of the artifact to determine the report type which can not be done for security_findings artifacts as they can contain any type.
The new artifact type will look something similar to the below one in gitlab-ci.yml;
my-secruity-build:
variables:
ANALYZER_NAME: spotbugs
REPORT_NAME: gl-sast-report.json
script:
- wget -O "${CI_JOB_NAME}.json" "https://gitlab.com/gitlab-org/security-products/analyzers/${ANALYZER_NAME}/-/raw/master/test/expect/${REPORT_NAME}"
artifacts:
reports:
security_findings: "${CI_JOB_NAME}.json"Important Note: This will break the usage reports as they are currently relying on the file type attribute of the JobArtifact entity but this is already communicated with @thiagocsf.