Change Dependency Scanning QA to expect exit code when vulnerabilities are detected
Problem to solve
The Dependency Scanning jobs are changed so that they exit with a non-zero exit code when vulnerabilities are detected, but currently the integration tests using the Secure test projects and "QA jobs" don't check the exit code.
Proposal
Change the CI template used for integration tests of Dependency Scanning to capture and compare the exit code.
Here are two options:
- override the
script
of the scanning job to capture the exit code, pass it to the correspondingqa-
job using artifacts, and there compare it to an expected value - override the
script
of the scanning job to compare it to the expected code, and fail if it doesn't match
The latter is easier to implement.
The tests should cover both the legacy behavior (exit code 0
when vulnerabilities are found) and the new one (non-zero exit code when vulnerabilities are found).
Additional tests are needed for when no vulnerabilities are found, to make sure that it exits with exit code 0
.
Other links/references
Edited by Fabien Catteau