Change Dependency Scanning to Security Report 15-0-0
Proposal
Update the Dependency Scanning CI template and set the variable introduced in #368147 (closed) so that Dependency Scanning jobs generate reports that validate version 15-0-0
of the Security Report Schemas. See gitlab-org/security-products/analyzers/gemnasium!363 (diffs)
Availability & Testing
Because the CI template changes, the job integration tests using the Secure test projects generate reports in version 15-0-0
. The expected reports need to be updated. Alternatively, DS_REPORT_URL
is changed in the CI config of the test projects so that they point to the reports in version 15-0-0
.
Gemnasium v3 defaults to generating reports using model 14
of the schema, so previous versions of GitLab are no impacted by this change.
Implementation plan
This plan allows us to move forward and enable schema v15 by default in the CI template without having to update all expectation files which will be done later. See #368148 (comment 1273396672)
-
Update the Gemnasium project to test DS_SCHEMA_MODEL
-
Add new image specs for when DS_SCHEMA_MODEL
is set to15
, and when it's set to14
. -
Also set DS_SCHEMA_MODEL
to14
in the triggers that run job integration tests, in the CI configs.
-
-
Add DS_SCHEMA_MODEL=14
to job integration tests triggered from the Secure Test Project Orchestrator. -
Update the Dependency Scanning CI template and set DS_SCHEMA_MODEL
to15
. https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.latest.gitlab-ci.yml#L11
Previous proposal
-
Update the Gemnasium project to test schema version 15-0-0 by default. -
Set DS_SCHEMA_MODEL
to15
in image specs. -
Also set DS_SCHEMA_MODEL
to15
in the triggers that run job integration tests, in the CI configs. -
Update the existing expected reports accordingly. -
Add new specs for when DS_SCHEMA_MODEL
is set to14
, and when it's not set. (The analyzers default to model 14 of the JSON schemas.)
-
-
Update the Dependency Scanning CI template and set DS_SCHEMA_MODEL
to15
. https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.latest.gitlab-ci.yml#L11 -
Revert the changes to the CI config once the new CI template has been deployed on production; we no longer need to force DS_SCHEMA_MODEL
in the dowstream pipelines using test projects.
NOTE: The Secure Test Project Orchestrator might report failures from the moment the default expected exports are updated, to the moment when the new CI templates are deployed.