Add support for Security Report Schema 15-0-0 to Gemnasium

Proposal

Update Gemnasium so that it can generate reports that validate the Security Report Schema 15-0-0 when it's configured to so. To maintain backward compatibility, it can still generate reports that validate 14-0-4, and this is what it does by default.

A new CI variable is introduced so that we can select the MODEL of the Security Report Schema, and select between 14 and 15. The variable defaults to 14. A warning is raised when the selected version isn't supported.

TBD: Name of the new CI variable.

Further details

Gemnasium users the report library to generate reports. Today, it generates reports in version 14-0-4. See https://gitlab.com/gitlab-org/security-products/analyzers/report/-/blob/v3.12.2/version.go#L16

#368140 (closed) updates the report library so that it can also generate reports in version 15-0-0 without loosing the ability to generate reports in version 14-0-4.

To generate a report in version 15-0-0, the following struct fields should not be set:

  • Vulnerability.Scanner
  • Vulnerability.Category
  • Vulnerability.CompareKey
  • Ref.CompareKey

Also, Report.Version must be set explicitly when the analyzer generates a version of the report format that's not the default. For instance, if 14.0.4 is still the default, then Report.Version must be set in the analyzer when the requested MODEL is 15.

Availability & Testing

Add image specs to check that when the variable that controls the MODEL is set to 15:

  • The version field of the reports is set to 15.0.0.
  • The reports validate the Security Report Schema 15-0-0.

The existing job integration tests prove that the Gemansium analyzer uses the model 14 by default.

Implementation plan

Update the gemnasium project:

  • Upgrade to the version of report that supports both models of the schema. See #368140 (closed)
    • The convert package needs to be changed b/c Vulnerability.Scanner becomes a pointer.
  • Add a CLI flag that controls the MODEL of the Security Report Schemas.
    • Add a Flags function to convert.
    • Add a CLI flag that controls the MODEL.
    • Call convert.Flags() when setting up the flags of the run command. This needs to be done in the main package of all three analyzers: gemnasium, gemnasium-maven, and gemnasium-python.
    • Raise a warning when the selected MODEL isn't supported.
    • Don't set the following fields of Vulnerability when the requested MODEL is 15: Confidence, Scanner, and CompareKey.
    • Set Report.Version when the requested MODEL doesn't match the default value.
  • Add image specs for when the model is 15.
Edited by Fabien Catteau