Enforce JSON schema validation for generic security report - FE
Why are we doing this work
Display error(s) to customers on the Pipeline Security Report when security report schema does not pass validation.
From @andyvolpe in this discussion:
For the MVC, add an alert outside of and above the scan details section of the security tab (/pipeline/00000000/security). Since the scan details can be expanded and collapsed, we'd risk the user missing the alert if we nested it with that information. I'll upload a quick mock into the design section of this issue.
Relevant links
Design mocks:
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
-
frontend -
Update ee/app/assets/javascripts/security_dashboard/graphql/queries/pipeline_security_report_summary.query.graphql
to include thename
anderror
field for each scan (see example query below) -
Add logic to ee/app/assets/javascripts/security_dashboard/components/pipeline_security_dashboard.vue
-
If there are any errors then display the alert -
For each scanner with an error add an expandable section (using GlAccordion
andGlAccordionItem
) -
Add an error count to each section header -
Show all errors within each section -
Add specs
-
Example Query
{
project(fullPath: $fullPath) {
name
pipeline(iid: $iid) {
securityReportSummary {
sast {
vulnerabilitiesCount
scans {
nodes {
name
errors
}
}
}
}
}
}
}
Note
The GraphQL query is currently behind a feature flag. To enable it run
echo "Feature.enable(:pipeline_security_dashboard_graphql)" | rails c
Verification steps
-
Create blank project on GitLab.com
-
Add
.gitlab-ci.yml
file with the following content;.test-sast: variables: VALIDATE_SCHEMA: "true" artifacts: reports: sast: "${CI_JOB_NAME}.json" script: - echo "$REPORT_CONTENT" > "${CI_JOB_NAME}.json" test-sast-1: extends: .test-sast variables: REPORT_CONTENT: '{"foo": "BAR"}' test-sast-2: extends: .test-sast variables: REPORT_CONTENT: '{"version": "14.0.0", "vulnerabilities": []}' dast: script: - wget -O "${CI_JOB_NAME}.json" https://gitlab.com/gitlab-org/security-products/dast/-/raw/main/test/end-to-end/expect/test_baseline_api_scan.json artifacts: reports: dast: "${CI_JOB_NAME}.json"
-
Verify that you can see the schema errors related to
test-sast-1
build.