diff options
Diffstat (limited to 'lib/gitlab/ci/parsers/security/common.rb')
-rw-r--r-- | lib/gitlab/ci/parsers/security/common.rb | 47 |
1 files changed, 29 insertions, 18 deletions
diff --git a/lib/gitlab/ci/parsers/security/common.rb b/lib/gitlab/ci/parsers/security/common.rb index 7baae2f53d7..13a159f3745 100644 --- a/lib/gitlab/ci/parsers/security/common.rb +++ b/lib/gitlab/ci/parsers/security/common.rb @@ -14,6 +14,7 @@ module Gitlab def initialize(json_data, report, vulnerability_finding_signatures_enabled = false, validate: false) @json_data = json_data @report = report + @project = report.project @validate = validate @vulnerability_finding_signatures_enabled = vulnerability_finding_signatures_enabled end @@ -43,31 +44,41 @@ module Gitlab attr_reader :json_data, :report, :validate def valid? - if Feature.enabled?(:show_report_validation_warnings, default_enabled: :yaml) - # We want validation to happen regardless of VALIDATE_SCHEMA CI variable + # We want validation to happen regardless of VALIDATE_SCHEMA + # CI variable. + # + # Previously it controlled BOTH validation and enforcement of + # schema validation result. + # + # After 15.0 we will enforce schema validation by default + # See: https://gitlab.com/groups/gitlab-org/-/epics/6968 + schema_validator.deprecation_warnings.each { |deprecation_warning| report.add_warning('Schema', deprecation_warning) } + + if validate schema_validation_passed = schema_validator.valid? - if validate - schema_validator.errors.each { |error| report.add_error('Schema', error) } unless schema_validation_passed - - schema_validation_passed - else - # We treat all schema validation errors as warnings - schema_validator.errors.each { |error| report.add_warning('Schema', error) } + # Validation warnings are errors + schema_validator.errors.each { |error| report.add_error('Schema', error) } + schema_validator.warnings.each { |warning| report.add_error('Schema', warning) } - true - end + schema_validation_passed else - return true if !validate || schema_validator.valid? + # Validation warnings are warnings + schema_validator.errors.each { |error| report.add_warning('Schema', error) } + schema_validator.warnings.each { |warning| report.add_warning('Schema', warning) } - schema_validator.errors.each { |error| report.add_error('Schema', error) } - - false + true end end def schema_validator - @schema_validator ||= ::Gitlab::Ci::Parsers::Security::Validators::SchemaValidator.new(report.type, report_data, report.version) + @schema_validator ||= ::Gitlab::Ci::Parsers::Security::Validators::SchemaValidator.new( + report.type, + report_data, + report.version, + project: @project, + scanner: top_level_scanner + ) end def report_data @@ -137,7 +148,7 @@ module Gitlab metadata_version: report_version, details: data['details'] || {}, signatures: signatures, - project_id: report.project_id, + project_id: @project.id, vulnerability_finding_signatures_enabled: @vulnerability_finding_signatures_enabled)) end @@ -280,7 +291,7 @@ module Gitlab report_type: report.type, primary_identifier_fingerprint: primary_identifier&.fingerprint, location_fingerprint: location_fingerprint, - project_id: report.project_id + project_id: @project.id } if uuid_v5_name_components.values.any?(&:nil?) |