Skip to content

Fix MR widget loading indefinitely when there is an SBoM without Dependency Scanning attributes

Brian Williamsrequested to merge
bwill/fix-infinite-polling-with-cyclonedx-artifact into master

What does this MR do and why?

This bug happens then there is an sbom that does not produce dependency_scanning results, and no other dependency scanning report in the pipeline. We have a redis optimization to reduce the number of database queries executing when polling. It blocks the database checks from executing until a redis key is set for the report. That key is being set if an SBoM produces results, but if it doesn't then the report is shown as parsing indefinitely.

Detailed explanation:

  1. The widget expects there to be dependency_scanning results if there is a cyclonedx artifact and begins polling.
  2. We have a redis optimization implemented in !151358 (merged) to reduce the amount of database queries executed when polling. It causes report status to always return :parsing until ::Ci::CompareSecurityReportsService.set_security_report_type_to_ready is called. This is only called when executing StoreGroupedScansService.
  3. Sbom-based dependency scanning goes through this code path. StoreGroupedSbomScansService inherits from StoreGroupedScansService, so it does execute this method. However, the problem arises from the file_type which is set here as the key artifact.security_report.type.to_s. If artifact.security_report returns nil or if artifact.security_report.type is container_scanning, then the dependency_scanning reports are never marked as ready.

References

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. Clone this project and push it to gdk (this will automatically create the project):

    git clone git@gitlab.com:gitlab-org/govern/threat-insights-demos/verification-projects/issue-568889.git
cd issue-568889
git remote add gdk ssh://git@<gdk_hostname>:2222/<user>/issue-568889.git
git push -u gdk main
git checkout feature
git push -u gdk feature

  2. Run a pipeline on main

  3. Open a merge request merging feature into main

  4. The merge request widget should show results once reports are done processing. Before, it would load indefinitely.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brian Williams

Merge request reports