Add job integration test to ensure that CycloneDX documents are uploaded as CI artifacts
Problem to solve
Now that gemnasium
outputs CycloneDX reports, we need to add a job integration test to ensure that CycloneDX documents are uploaded as CI artifacts, as implemented in Add CycloneDX reports to DS template uploads CycloneDX documents as CI artifacts.
See this discussion for more details, and this MR for a starting point.
Proposal
Here are a few different approaches we can use:
- Update the
script
section of the qa-dependency_scanning job to look for the presence of a new variable which is passed fromgemnasium
,gemnasium-maven
andgemnasium-python
and contains a list of expectedCycloneDX
artifact paths. Theqa-dependency_scanning
job will then check to make sure these artifact files exist. See this discussion for more details. - Wait until Draft: Test Graph testing has been merged, then add a check to integration-test/scripts/dependency-scanning-qa.rb to check for the presence of these CycloneDX files, using a similar technique to this.
We need to decide which of the above is the best approach and then create an implementation plan
Implementation plan
We've decided to implement option 1.
from the Proposal listed above:
-
Update the script
section of the qa-dependency_scanning job to look for the presence of a new variable which is passed fromgemnasium
,gemnasium-maven
andgemnasium-python
and contains a list of expectedCycloneDX
artifact paths. Theqa-dependency_scanning
job will then check to make sure these artifact files exist.This new variable should be named
EXPECTED_CYCLONEDX_ARTIFACTS
and contains a comma-separated list of artifact paths to check.Add test for CycloneDX artifacts (gitlab-org/security-products/ci-templates!282 - merged)
-
Add job integration tests which pass EXPECTED_CYCLONEDX_ARTIFACTS
in the following projects:-
gemnasium
-
gemnasium-maven
-
gemnasium-python
-