Add scan duration check
What does this MR do?
This MR adds a scan duration check for the scanning time of Dependency Scanning analyzers. The check happens in the qa phase of downstream projects and fails if the last scan's scanning duration in the report is greater than MAX_SCAN_DURATION_SECONDS set in the analyzer's ci config.
Here are a few job runs showing this at work on the bundler-audit analyzer:
- pass: https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler/-/jobs/832760939
- fail when max exceeded: https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler/-/jobs/832764338
- fail when report missing scan fields: https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler/-/jobs/833292139 (code change)
- fail when report date parsing error: https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler/-/jobs/833287327 (code change)
The plan for this MR is as follows:
- merge this MR (so that this code is available in all DS downstream projects)
- create a branch in each analyzer (gemnasium, gemnasium-python, gemnasium-maven, bundler-audit) setting the
MAX_SCAN_DURATION_SECONDSenvironment variable setting up a preliminary run for each downstream project to establish a baselineMAX_SCAN_DURATION_SECONDS - set
MAX_SCAN_DURATION_SECONDSthat was found - update
MAX_SCAN_DURATION_SECONDSfor each downstream job in the analyzer's ci config
Add variable to each analyzer:
-
gemnasium-maven (gitlab-org/security-products/analyzers/gemnasium-maven!80 (merged)) -
gemnasium-python (gitlab-org/security-products/analyzers/gemnasium-python!72 (merged)) -
bundler-audit (gitlab-org/security-products/analyzers/bundler-audit!58 (merged)) -
retire.js (gitlab-org/security-products/analyzers/retire.js!55 (merged)) -
gemnasium (gitlab-org/security-products/analyzers/gemnasium!124 (merged))
What are the relevant issue numbers?
gitlab-org/gitlab#196697 (closed)
Does this MR meet the acceptance criteria?
Edited by Igor Frenkel