Add scan duration check
What does this MR do?
This MR adds a scan duration check for the scanning time of Dependency Scanning analyzers. The check happens in the qa phase of downstream projects and fails if the last scan's scanning duration in the report is greater than MAX_SCAN_DURATION_SECONDS
set in the analyzer's ci config.
Here are a few job runs showing this at work on the bundler-audit
analyzer:
- pass: https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler/-/jobs/832760939
- fail when max exceeded: https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler/-/jobs/832764338
- fail when report missing scan fields: https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler/-/jobs/833292139 (code change)
- fail when report date parsing error: https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler/-/jobs/833287327 (code change)
The plan for this MR is as follows:
- merge this MR (so that this code is available in all DS downstream projects)
- create a branch in each analyzer (gemnasium, gemnasium-python, gemnasium-maven, bundler-audit) setting the
MAX_SCAN_DURATION_SECONDS
environment variable setting up a preliminary run for each downstream project to establish a baselineMAX_SCAN_DURATION_SECONDS
- set
MAX_SCAN_DURATION_SECONDS
that was found - update
MAX_SCAN_DURATION_SECONDS
for each downstream job in the analyzer's ci config
Add variable to each analyzer:
-
gemnasium-maven (gitlab-org/security-products/analyzers/gemnasium-maven!80 (merged)) -
gemnasium-python (gitlab-org/security-products/analyzers/gemnasium-python!72 (merged)) -
bundler-audit (gitlab-org/security-products/analyzers/bundler-audit!58 (merged)) -
retire.js (gitlab-org/security-products/analyzers/retire.js!55 (merged)) -
gemnasium (gitlab-org/security-products/analyzers/gemnasium!124 (merged))
What are the relevant issue numbers?
gitlab-org/gitlab#196697 (closed)
Does this MR meet the acceptance criteria?
Edited by Igor Frenkel