Add support for Security Report Schema 15-0-0 to Gemnasium
Proposal
Update Gemnasium so that it can generate reports that validate the Security Report Schema 15-0-0
when it's configured to so.
To maintain backward compatibility, it can still generate reports that validate 14-0-4
, and this is what it does by default.
A new CI variable is introduced so that we can select the MODEL of the Security Report Schema, and select between 14
and 15
.
The variable defaults to 14
.
A warning is raised when the selected version isn't supported.
TBD: Name of the new CI variable.
Further details
Gemnasium users the report
library to generate reports. Today, it generates reports in version 14-0-4
. See https://gitlab.com/gitlab-org/security-products/analyzers/report/-/blob/v3.12.2/version.go#L16
#368140 (closed) updates the report
library so that it can also generate reports in version 15-0-0
without loosing the ability to generate reports in version 14-0-4
.
To generate a report in version 15-0-0
, the following struct fields should not be set:
Vulnerability.Scanner
Vulnerability.Category
Vulnerability.CompareKey
Ref.CompareKey
Also, Report.Version
must be set explicitly when the analyzer generates a version of the report format that's not the default. For instance, if 14.0.4
is still the default, then Report.Version
must be set in the analyzer when the requested MODEL is 15
.
Availability & Testing
Add image specs to check that when the variable that controls the MODEL is set to 15
:
- The
version
field of the reports is set to15.0.0
. - The reports validate the Security Report Schema
15-0-0
.
The existing job integration tests prove that the Gemansium analyzer uses the model 14
by default.
Implementation plan
Update the gemnasium
project:
- Upgrade to the version of
report
that supports both models of the schema. See #368140 (closed)- The
convert
package needs to be changed b/cVulnerability.Scanner
becomes a pointer.
- The
- Add a CLI flag that controls the MODEL of the Security Report Schemas.
- Add a
Flags
function toconvert
. - Add a CLI flag that controls the MODEL.
- Call
convert.Flags()
when setting up the flags of therun
command. This needs to be done in themain
package of all three analyzers: gemnasium, gemnasium-maven, and gemnasium-python. - Raise a warning when the selected MODEL isn't supported.
- Don't set the following fields of
Vulnerability
when the requested MODEL is15
:Confidence
,Scanner
, andCompareKey
. - Set
Report.Version
when the requested MODEL doesn't match the default value.
- Add a
- Add image specs for when the model is
15
.