1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
|
# frozen_string_literal: true
module Gitlab
module Ci
module Parsers
module Security
module Validators
class SchemaValidator
SUPPORTED_VERSIONS = {
cluster_image_scanning: %w[14.0.4 14.0.5 14.0.6 14.1.0 14.1.1 14.1.2 14.1.3 15.0.0 15.0.1 15.0.2 15.0.4],
container_scanning: %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0 14.1.1 14.1.2 14.1.3 15.0.0 15.0.1 15.0.2 15.0.4],
coverage_fuzzing: %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0 14.1.1 14.1.2 14.1.3 15.0.0 15.0.1 15.0.2 15.0.4],
dast: %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0 14.1.1 14.1.2 14.1.3 15.0.0 15.0.1 15.0.2 15.0.4],
api_fuzzing: %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0 14.1.1 14.1.2 14.1.3 15.0.0 15.0.1 15.0.2 15.0.4],
dependency_scanning: %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0 14.1.1 14.1.2 14.1.3 15.0.0 15.0.1 15.0.2 15.0.4],
sast: %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0 14.1.1 14.1.2 14.1.3 15.0.0 15.0.1 15.0.2 15.0.4],
secret_detection: %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0 14.1.1 14.1.2 14.1.3 15.0.0 15.0.1 15.0.2 15.0.4]
}.freeze
VERSIONS_TO_REMOVE_IN_16_0 = %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0 14.1.1 14.1.2 14.1.3].freeze
DEPRECATED_VERSIONS = {
cluster_image_scanning: VERSIONS_TO_REMOVE_IN_16_0,
container_scanning: VERSIONS_TO_REMOVE_IN_16_0,
coverage_fuzzing: VERSIONS_TO_REMOVE_IN_16_0,
dast: VERSIONS_TO_REMOVE_IN_16_0,
api_fuzzing: VERSIONS_TO_REMOVE_IN_16_0,
dependency_scanning: VERSIONS_TO_REMOVE_IN_16_0,
sast: VERSIONS_TO_REMOVE_IN_16_0,
secret_detection: VERSIONS_TO_REMOVE_IN_16_0
}.freeze
CURRENT_VERSIONS = SUPPORTED_VERSIONS.to_h { |k, v| [k, v - DEPRECATED_VERSIONS[k]] }
class Schema
def root_path
File.join(__dir__, 'schemas')
end
def initialize(report_type, report_version)
@report_type = report_type.to_sym
@report_version = report_version.to_s
@supported_versions = SUPPORTED_VERSIONS[@report_type]
end
delegate :validate, to: :schemer
private
attr_reader :report_type, :report_version, :supported_versions
def schemer
JSONSchemer.schema(pathname)
end
def pathname
Pathname.new(schema_path)
end
def schema_path
# The schema version selection logic here is described in the user documentation:
# https://docs.gitlab.com/ee/user/application_security/#security-report-validation
report_declared_version = File.join(root_path, report_version, file_name)
return report_declared_version if File.file?(report_declared_version)
if latest_vendored_patch_version
latest_vendored_patch_version_file = File.join(root_path, latest_vendored_patch_version, file_name)
return latest_vendored_patch_version_file if File.file?(latest_vendored_patch_version)
end
earliest_supported_version = SUPPORTED_VERSIONS[report_type].min
File.join(root_path, earliest_supported_version, file_name)
end
def latest_vendored_patch_version
::Security::ReportSchemaVersionMatcher.new(
report_declared_version: report_version,
supported_versions: supported_versions
).call
rescue ArgumentError
nil
end
def file_name
report_type == :api_fuzzing ? "dast-report-format.json" : "#{report_type.to_s.dasherize}-report-format.json"
end
end
def initialize(report_type, report_data, report_version = nil, project: nil, scanner: nil)
@report_type = report_type&.to_sym
@report_data = report_data
@report_version = report_version
@project = project
@scanner = scanner
@errors = []
@warnings = []
@deprecation_warnings = []
populate_schema_version_errors
populate_validation_errors
populate_deprecation_warnings
end
def populate_schema_version_errors
add_schema_version_errors if add_schema_version_error?
end
def add_schema_version_errors
if report_version.nil?
template = _("Report version not provided,"\
" %{report_type} report type supports versions: %{supported_schema_versions}."\
" GitLab will attempt to validate this report against the earliest supported versions of this report"\
" type, to show all the errors but will not ingest the report")
message = format(template, report_type: report_type, supported_schema_versions: supported_schema_versions)
else
template = _("Version %{report_version} for report type %{report_type} is unsupported, supported versions"\
" for this report type are: %{supported_schema_versions}."\
" GitLab will attempt to validate this report against the earliest supported versions of this report"\
" type, to show all the errors but will not ingest the report")
message = format(template, report_version: report_version, report_type: report_type, supported_schema_versions: supported_schema_versions)
end
log_warnings(problem_type: 'using_unsupported_schema_version')
add_message_as(level: :error, message: message)
end
def add_schema_version_error?
!report_uses_supported_schema_version? &&
!report_uses_deprecated_schema_version? &&
!report_uses_supported_major_and_minor_schema_version?
end
def report_uses_deprecated_schema_version?
# Avoid deprecation warnings for GitLab security scanners
# To be removed via https://gitlab.com/gitlab-org/gitlab/-/issues/386798
return if report_data.dig('scan', 'scanner', 'vendor', 'name')&.downcase == 'gitlab'
return if report_data.dig('scan', 'analyzer', 'vendor', 'name')&.downcase == 'gitlab'
DEPRECATED_VERSIONS[report_type].include?(report_version)
end
def report_uses_supported_schema_version?
SUPPORTED_VERSIONS[report_type].include?(report_version)
end
def report_uses_supported_major_and_minor_schema_version?
if !find_latest_patch_version.nil?
add_supported_major_minor_behavior_warning
true
else
false
end
end
def find_latest_patch_version
::Security::ReportSchemaVersionMatcher.new(
report_declared_version: report_version,
supported_versions: SUPPORTED_VERSIONS[report_type]
).call
rescue ArgumentError
nil
end
def add_supported_major_minor_behavior_warning
template = _("This report uses a supported MAJOR.MINOR schema version but the PATCH version doesn't match"\
" any vendored schema version. Validation will be attempted against version"\
" %{find_latest_patch_version}")
message = format(template, find_latest_patch_version: find_latest_patch_version)
add_message_as(
level: :warning,
message: message
)
end
def populate_validation_errors
schema_validation_errors = schema.validate(report_data).map { |error| JSONSchemer::Errors.pretty(error) }
log_warnings(problem_type: 'schema_validation_fails') unless schema_validation_errors.empty?
@errors += schema_validation_errors
end
def populate_deprecation_warnings
add_deprecated_report_version_message if report_uses_deprecated_schema_version?
end
def add_deprecated_report_version_message
log_warnings(problem_type: 'using_deprecated_schema_version')
template = _("version %{report_version} for report type %{report_type} is deprecated. "\
"However, GitLab will still attempt to parse and ingest this report. "\
"Upgrade the security report to one of the following versions: %{current_schema_versions}.")
message = format(
template,
report_version: report_version,
report_type: report_type,
current_schema_versions: current_schema_versions)
add_message_as(level: :deprecation_warning, message: message)
end
def valid?
errors.empty?
end
def log_warnings(problem_type:)
Gitlab::AppLogger.info(
message: 'security report schema validation problem',
security_report_type: report_type,
security_report_version: report_version,
project_id: @project.id,
security_report_failure: problem_type,
security_report_scanner_id: @scanner&.dig('id'),
security_report_scanner_version: @scanner&.dig('version')
)
end
def current_schema_versions
CURRENT_VERSIONS[report_type].join(", ")
end
def supported_schema_versions
SUPPORTED_VERSIONS[report_type].join(", ")
end
def add_message_as(level:, message:)
case level
when :deprecation_warning
@deprecation_warnings << message
when :error
@errors << message
when :warning
@warnings << message
end
end
attr_reader :errors, :warnings, :deprecation_warnings
private
attr_reader :report_type, :report_data, :report_version
def schema
Schema.new(report_type, report_version)
end
end
end
end
end
end
end
Gitlab::Ci::Parsers::Security::Validators::SchemaValidator::Schema.prepend_mod_with("Gitlab::Ci::Parsers::Security::Validators::SchemaValidator::Schema")
|