Fix Broken Master Branch in Gemnasium

Description

The master branch of Gemnasium is currently broken due to two main issues: the absence of curl in the FIPS image and a 403 error causing the danger-review job to fail. These issues need to be addressed to restore the functionality of the master branch pipeline.

Problem

  1. The Gemnasium pipeline is failing since merging changes to base the final image on UBI-Micro because the FIPS image no longer contains curl. This causes the test-custom-ca-bundle FIPS downstream test to fail.

    Error log:

    wget/curl not found, attempting to install 'wget'..
/check-cert.sh: line 40: wget: command not found
installation for this OS variant is not implemented. Variant info: 
NAME="Red Hat Enterprise Linux"

  2. The danger-review job is failing due to a 403 error, likely related to token expiration issues.

    Job log: https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/jobs/6848548318

  3. The upsert git tag job is failing with the following error:

    You are not allowed to create this tag as it is protected

Solution

  1. Install curl in FIPS Docker Image:

    • Modify the Dockerfile for the FIPS image to include curl.
    • Verify that the test-custom-ca-bundle FIPS downstream test passes with the updated image.

  2. Resolve danger-review 403 Error:

    • Investigate the cause of the 403 error in the danger-review job.
    • Update the token or adjust the job configuration to resolve the 403 error.

Implementation Plan

  1. Modify FIPS Docker Image:

    • Update the Dockerfile to install curl in the FIPS image.
    • Create a Merge Request with these changes.
    • Ensure the test-custom-ca-bundle FIPS downstream test passes.

    Install curl in gemnasium-python fips image (gitlab-org/security-products/analyzers/gemnasium!740 - merged) • Vasant Tokale

  2. Fix danger-review Job:

    • Investigate the 403 error in the danger-review job.
    • Update the token or adjust the job configuration as needed.
    • Verify that the danger-review job completes successfully.

    https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/jobs/6849637297+s

  3. Fix upsert git tag job:

    This is broken due to a permission issue, as described here.

    We now have a dedicated service account which is used for automating the release process in gemnasium and other secure analyzers, as explained here.

Tasks

  • Update the FIPS Dockerfile to include curl.
  • Create MR with the updated Dockerfile.
  • Ensure the test-custom-ca-bundle FIPS downstream test passes.
  • Investigate the 403 error in the danger-review job.
  • Update the token or job configuration to fix the 403 error.
  • Verify that the danger-review job completes successfully.
  • Merge changes and verify the master pipeline passes.

Workaround

  • If releasing a new version of Gemnasium, manually create a release that matches the latest version in the changelog.
    1. Go to Releases -> New Release.
    2. For the tag name create a new tag. For example, if the latest version in the changelog is v5.1.2 then you should use v5.1.2 as the new tag.
    3. Copy the changelog notes to the release notes, and submit by clicking on Create release.
Edited by Adam Cohen