Record JSON parser errors due to invalid reports
What does this MR do?
When a third party integration attempts to upload an invalid or malicious license_scanning
report we currently log the error, then we throw away the original error and raise a new error that is rescued in several different places in the code base. When a JSON parser error is raised and sent to sentry there is no action that we can take so it doesn't help to record it.
This MR updates the License scanning report parser to return an empty report when the raw artifact cannot be parsed as a JSON document. The current code bubbles up an exception that isn't handled meaningfully by code that calls this parser. The affect of that is that an error message is displayed to the user and a 500 error is returned to the FE code. This change records the original error and attempts to include meaningful information that can be used for taken action.
This error can be tracked here.
To produce this error, you need to upload an invalid gl-license-scanning-report.json
.
- https://gitlab.com/gitlab-org/gitlab/-/issues/119361
- #210364 (closed)
- #37719 (closed)
- https://gitlab.com/gitlab-org/gitlab/-/issues/211378
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team