Add version check job
What does this MR do?
This MR adds the version-check job from container scanning into the analyzer.yml
template so all Go-based analyzers can benefit from the script.
The purpose of this new version-check
is to ensure that the version reported by the analyzer using the --version
flag matches the latest version in the CHANGELOG.md
file. This is necessary now that a scan.scanner.version
field is being added to the reports generated by our analyzers, as part of Add scanner, report_type to SAST, CS, DS reports.
This version-check
stage has the following behaviour:
-
If the
app.Version
value is not configured, for example gemnasium doesn't define this value, thenversion-check
will output a warning and return a 0 status code. This will allow us to immediately use thisversion-check
script in all analyzer projects without altering existing behaviour:-
and
urfave/cli <= v1.22.2
is used:[INFO] [klar] [2020-07-29T02:01:50Z] ▶ GitLab klar analyzer v0.0.0 Warning: analyzer binary does not have a version configured. Please update the analyzer binary version to match the most recent version in CHANGELOG.md. Job succeeded
-
and
urfave/cli >= v1.22.3
is used:[INFO] [klar] [2020-07-29T02:10:16Z] ▶ GitLab klar analyzer v [FATA] [klar] [2020-07-29T02:10:16Z] ▶ flag provided but not defined: -version Warning: analyzer binary does not have a version configured. Please update the analyzer binary version to match the most recent version in CHANGELOG.md. Job succeeded
Note: the reason why we need logic to support both
urfave/cli
<= v1.22.2
and>= v1.22.3
is because of the following bugfix which changed the version behaviour. -
-
If the
app.Version
value is configured, for example in klar-
and the
app.Version
value matches the most recent version inCHANGELOG.md
:[INFO] [klar] [2020-07-29T01:57:46Z] ▶ GitLab klar analyzer v2.4.9 Success: Analyzer binary version '2.4.9' matches CHANGELOG.md version '2.4.9 Job succeeded
-
and the
app.Version
value does not match the most recent version inCHANGELOG.md
:[INFO] [klar] [2020-07-29T02:02:27Z] ▶ GitLab klar analyzer v2.5.0 Error: The most recent version in CHANGELOG.md '2.4.9' does not match the analyzer binary version value '2.5.0'. Please update the analyzer binary version to match the most recent version in CHANGELOG.md. ERROR: Job failed: exit code 1
-
What are the relevant issue numbers?
gitlab-org/gitlab#232757 (closed)
Testing
All four scenarios have been tested - click on the links in the This version-check stage has the following behaviour
section above