Report version bump to 15.1.0 breaks compatibility with GitLab 16.x
Summary
Report version bump to 15.1.0 breaks compatibility with GitLab 16.x
Steps to reproduce
Install GitLab 16.x Configure NodeJS scan
Example Project
What is the current bug behavior?
Report cannot be parsed:
Error parsing security reports
The following security reports contain one or more vulnerability findings that could not be parsed and were not recorded. To investigate a report, download the artifacts in the job output. Ensure the security report conforms to the relevant JSON schema.
nodejs-scan-sast (1)
[Schema] Version 15.1.0 for report type sast is unsupported, supported versions for this report type are: 15.0.0, 15.0.1, 15.0.2, 15.0.4, 15.0.5, 15.0.6, 15.0.7. GitLab will attempt to validate this report against the earliest supported versions of this report type, to show all the errors but will not ingest the report
What is the expected correct behavior?
Report should work
Relevant logs and/or screenshots
Error parsing security reports
The following security reports contain one or more vulnerability findings that could not be parsed and were not recorded. To investigate a report, download the artifacts in the job output. Ensure the security report conforms to the relevant JSON schema.
nodejs-scan-sast (1)
[Schema] Version 15.1.0 for report type sast is unsupported, supported versions for this report type are: 15.0.0, 15.0.1, 15.0.2, 15.0.4, 15.0.5, 15.0.6, 15.0.7. GitLab will attempt to validate this report against the earliest supported versions of this report type, to show all the errors but will not ingest the report
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Workaround
Pin the scanner version to 4.1.11
nodejs-scan-sast:
variables:
SAST_ANALYZER_IMAGE_TAG: "4.1.11"
Implementation Plan
-
Hardcode all analyzers removed in 17.0 report version to 15.0.7 -
NodeJS Scan - Fix Remote Custom Rulesets (gitlab-org/security-products/analyzers/nodejs-scan!166 - merged) • Craig Smith • 17.2 -
Brakeman - Hardcode report version (gitlab-org/security-products/analyzers/brakeman!152 - merged) • Craig Smith • 17.2 -
flawfinder - Hardcode report version to 15.0.7 (gitlab-org/security-products/analyzers/flawfinder!129 - merged) • Craig Smith • 17.2 -
mobsf - Hardcode report version to 15.0.7 (gitlab-org/security-products/analyzers/mobsf!109 - merged) • Craig Smith -
phpcs - Hardcode report Version to 15.0.7 (gitlab-org/security-products/analyzers/phpcs-security-audit!113 - merged) • Craig Smith • 17.2
-
-
Remove all analyzers removed in 17.0 from SASTBot upgrades - https://gitlab.com/gitlab-org/security-products/analyzers/sast-analyzer-deps-bot/-/merge_requests/22+s- Moved to Stop auto updating removed analyzers with SASTBot (#471173) • Craig Smith • 17.3
Edited by Craig Smith