Version Check - Add critical_vulnerability to API
Why?
Follow up MR for: https://gitlab.com/gitlab-services/version-gitlab-com/-/merge_requests/722
Work towards https://gitlab.com/gitlab-services/version-gitlab-com/-/issues/455
API support for gitlab-org/gitlab!110934 (merged)
There is a bit of history here, I urge you to read the issue above. In GitLab we use the VersionCheck API to conditionally show elements based on how critical of an release the customer is behind. However, we do not currently have a way to differentiate between a Non Critical security release and a Critical security release. This differentiation is really important to the customer to how urgently they need to be informed to upgrade.
The overall proposed solution is to provide a way in the Version App to make that differentiation between a Critical and Non Critical security release and to communicate that through the VersionCheck API.
What
This change is the Third MR working towards the Why section above.
The goal is to create these changes in the spirit of MVC and provide the smallest changes possible towards the goal. This change expands the Version Check API to create a new key critical_vulnerability
that will be backwards compatible to GitLab. GitLab will use this key to show UI elements: gitlab-org/gitlab!110934 (merged)
Video Demo
Screen_Recording_2023-02-21_at_3.30.39_PM
How to test
Important: To test there is a bit of preliminary setup you will need to do. I visualize this in the video demo above
- Have a way to send GET requests with modified Headers. I used Postman w/ Postman Desktop Agent to fire
localhost
requests. - A couple created Version records with various vulnerability levels (None, Non Critical, Critical)
- Follow the test instructions here for a detailed explanation on how to create them in the UI: https://gitlab.com/gitlab-services/version-gitlab-com/-/merge_requests/722#how-to-test
- A way to Base64 URL Safe Encode a JSON Object
- I use the Rails Console (
rails c
) and then this method:Base64.urlsafe_encode64({ version: '8.0.0' }.to_json)
- I use the Rails Console (
Testing
- Follow all the important setup sets above
- Get the Base64 encoded info of the version you are testing against:
example: Base64.urlsafe_encode64({ version: '8.0.0' }.to_json)
- Send a HTTP GET with the following information
path: localhost:3000/check.json
query_param: ?gitlab_info=ENCODED_DATA
-
headers: REFERER: https://gitlab.com
(without this it will return a 404 by design)
- Ensure based on the version you test against the following is true
-
Critical Vulnerability
-
severity: 'danger'
,critical_vulnerability: true
-
-
Non Critical Vulnerability
-
severity: 'danger'
,critical_vulnerability: false
-
-
Non Vulnerable, Not Most Recent Patch Version
-
severity: 'warning'
,critical_vulnerability: false
-
-
Non Vulnerable, Most Recent Patch Version
-
severity: 'success'
,critical_vulnerability: false
-
-
Critical Vulnerability