Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 43,788
    • Issues 43,788
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,417
    • Merge requests 1,417
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.org
  • GitLabGitLab
  • Issues
  • #321730
Closed
Open
Created Feb 16, 2021 by Lindsay Kerr@lkerrContributor6 of 12 tasks completed6/12 tasks

Enforce JSON schema validation for generic security report - FE

Why are we doing this work

Display error(s) to customers on the Pipeline Security Report when security report schema does not pass validation.

From @andyvolpe in this discussion:

For the MVC, add an alert outside of and above the scan details section of the security tab (/pipeline/00000000/security). Since the scan details can be expanded and collapsed, we'd risk the user missing the alert if we nested it with that information. I'll upload a quick mock into the design section of this issue.

Relevant links

Design mocks:

  • #284062[a_01-pipeline-schema-error.png]
  • #284062[a_02-pipeline-schema-error_multiple-in-one-job.png]

Non-functional requirements

  • Documentation:
  • Feature flag:
  • Performance:
  • Testing:

Implementation plan

  • frontend
    • Update ee/app/assets/javascripts/security_dashboard/graphql/queries/pipeline_security_report_summary.query.graphql to include the name and error field for each scan (see example query below)
    • Add logic to ee/app/assets/javascripts/security_dashboard/components/pipeline_security_dashboard.vue
    • If there are any errors then display the alert
    • For each scanner with an error add an expandable section (using GlAccordion and GlAccordionItem)
    • Add an error count to each section header
    • Show all errors within each section
    • Add specs

Example Query

{
  project(fullPath: $fullPath) {
    name
    pipeline(iid: $iid) {
      securityReportSummary {
        sast {
          vulnerabilitiesCount
          scans {
            nodes {
              name
              errors
            }
          }
        }
      }
    }
  }
}

Note

The GraphQL query is currently behind a feature flag. To enable it run

echo "Feature.enable(:pipeline_security_dashboard_graphql)" | rails c

Verification steps

  • Create blank project on GitLab.com

  • Add .gitlab-ci.yml file with the following content;

    .test-sast:
      variables:
        VALIDATE_SCHEMA: "true"
      artifacts:
        reports:
          sast: "${CI_JOB_NAME}.json"
      script:
        - echo "$REPORT_CONTENT" > "${CI_JOB_NAME}.json"
    
    test-sast-1:
      extends: .test-sast
      variables:
        REPORT_CONTENT: '{"foo": "BAR"}'
    
    test-sast-2:
      extends: .test-sast
      variables:
        REPORT_CONTENT: '{"version": "14.0.0", "vulnerabilities": []}'
    
    dast:
      script:
        - wget -O "${CI_JOB_NAME}.json" https://gitlab.com/gitlab-org/security-products/dast/-/raw/main/test/end-to-end/expect/test_baseline_api_scan.json
      artifacts:
        reports:
          dast: "${CI_JOB_NAME}.json"
  • Verify that you can see the schema errors related to test-sast-1 build.

Edited Jun 21, 2021 by Mehmet Emin INAC
Assignee
Assign to
Time tracking