Read security report schemas from RubyGem
What does this MR do and why?
Adds a dependency on the gitlab-security_report_schemas
RubyGem (rubygems.org) which bundles GitLab's security report schemas and a feature flag. When enabled, security report schemas are consumed from the RubyGem instead of from the monolith's repository.
Security schemas are used as part of the Security scanner integration to ensure that reports produced by analyzers are able to be parsed successfully by GitLab. Each JSON report indicates which version of the Secure schema it conforms to. When the report is parsed, the file is validated using the appropriate schema and will be rejected if it does not succeed.`
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Enable the feature flag:
echo "Feature.enable(:security_report_schemas_rubygem)" | rails c
- Create a new project and commit the following
.gitlab-ci.yml
:
report:
image: alpine
stage: test
rules:
- if: $REPORT_FILE
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
paths: [gl-container-scanning-report.json]
script:
- apk update && apk add curl
- curl -o gl-container-scanning-report.json "https://gitlab.com/-/snippets/3732098/raw/main/$REPORT_FILE"
-
Navigate to
Build > Pipelines
, run a pipeline and setREPORT_FILE
to:- report-15.0.0-valid.json
- report-15.0.0-invalid.json
- report-14.1.3-valid.json
-
Navigate to
Secure > Vulnerability report
, set the activity dropdown toAll activity
, and verify both vulnerabilities were ingested. -
Repeat the above with the feature flag disabled.
Related to #383516, #383507 (closed), #479410 (closed)