Use GraphQL API to fetch reports in job integration tests for Dependency Scanning
Summary
Change Dependency Scanning QA pipelines (job integration tests) in order to fetch security reports to be tested using GitLab GraphQL API.
Right now, the artifacts
param of the scanning jobs are overridden when running the tests, in order to expose the reports as CI artifacts, so that they can be checked by the test jobs.
Further details
Job integration tests for Dependency Scanning (DS) are two-stage pipelines:
- The
test
stage run the DS scanning jobs. - The
qa
stage runs jobs that check the reports created by the scanning jobs.
Right now, scanning jobs pass their reports to the test jobs using CI artifacts. To do so, the DS QA CI template overrides the dependency_scanning
job (base job of all DS jobs) in order to expose the security reports as CI artifacts. However, this is intrusive, and it increases the distance between the job definition being tested and the one being used in production.
It's not possible to download the security reports using the Job artifacts REST API, but it's possible using the GraphQL API and the CiJobArtifact resource. See #251015 (closed) and !48207 (merged) for initial implementation.
Improvements
- This reduces the distance b/w the job definition being tested and the one being used in prodcution.
- This makes it possible to check the artifacts created by the scanning jobs. See #341215 for use case.
Risks
This increases the complexity of the qa
jobs since they become responsible for fetching the security reports, using GitLab GraphQL API.
Involved components
The change is to be implemented in qa-dependency_scanning.yml but it might also impact:
- the CI configurations of the analyzer projects
- the integration-test project; this project contains the
scripts
executed by theqa
jobs
Optional: Intended side effects
Optional: Missing test coverage
None