Add graph exports to job artifacts when Gemnasium fails
Release notes
Problem to solve
As a user of Dependency Scanning, I want the dependency graph exports created by gemnasium-maven and gemnasium-python to be uploaded as CI job artifacts when the scanning job fails, so that I can investigate and report the issue.
Also, I want these graph exports to be available when running Dependency Scanning in debug mode, so that I can investigate unexpected results in GitLab UI (Dependency List, Vulnerability Report, etc.) or in the Dependency Scanning report.
As developer of Gemnasium, or as a support engineering at GitLab, I also want these graph exports to be easily accessible to users experiencing problems with gemnasium-maven and gemnasium-python, so that I can directly help them without asking them to tweak their CI config file and trigger a new pipeline.
Intended users
User experience goal
As a user, I notice that a Dependency Scanning job has failed in my project pipeline. I then
Browse the artifacts of the failing job, and download a graph export generated by gemnasium-maven or gemnasium-python. I can attach this graph export to a bug issue I create on GitLab, or to a ZenDesk ticket.
Proposal
Change the job definitions of the Gemnasium CI jobs so that the generated graph exports are uploaded when the job fails OR when . For instance, change the job definition of SECURE_LOG_LEVEL is set to debuggemnasium-maven so that it uploads the DOT exports it creates using the dependencyDot task of the sbt-dependency-graph plugin.
The change would be limited to gemnasium-maven-dependency_scanning and gemnasium-python-dependency_scanning since these are the only Dependency Scanning jobs that generate graph exports. See https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml#L68
See https://docs.gitlab.com/ee/ci/yaml/#artifactswhen
Further details
Implementation plan
-
Update Dependency Scanning CI template; see proposal and MR -
Change existing job integration tests to make them compatible with these changes; see Use GraphQL API to fetch reports in job integra... (#343871 - closed) -
Create dedicated job integration tests; see Availability & Testing and Testing graph exports to job artifacts when Gem... (#350896) -
Update user documentation; see documentation
Permissions and Security
No change
Documentation
To be documented in the troubleshooting section of Dependency Scanning user documentation under a new subsection titled Gemnasium Dependency Scanning job fails. Make sure you cover the following items:
- Dependency graph exports might be exposed as jobs artifacts to investigate the issue.
- These can be used to investigate a bug where the analyzer can't parse these graph exports.
- They might not be available, depending on the job and on the bug.
Availability & Testing
To be tested in 2-stage pipelines:
- The
teststage runs the scanning job. The jobscriptis altered to make it fail with a specific exit code, and the job is allowed to fail on that exit code, so the pipeline isn't stopped. Theartifactsparam of the job isn't altered. - The
qastage runs a job that compares the CI artifacts/graph exports to what's expected. The Dependency Scanning report isn't checked.
The QA CI template can't be used for this: the artifacts param shouldn't be altered because we wouldn't test the upload of the CI artifacts–this feature.
Scenarios to be covered:
- Graph exports are uploaded as CI artifacts when the
/analyzercommand returns a non-zero exit code. Graph exports are uploaded as CI artifacts when the command returns a zero exit code andSECURE_LOG_LEVELisdebug.Graph exports are NOT uploaded when the command returns a zero exit code andSECURE_LOG_LEVELisinfo(or not set).
These don't check the generated security report, so they can't be implemented using the existing Dependency Scanning QA CI template. Instead, we need a new pipeline with a CI job that checks the CI artifacts of the scanning job.
This should be tested in complex/composite test projects that generate multiple graph exports:
- https://gitlab.com/gitlab-org/security-products/tests/java-gradle-multimodules and
- https://gitlab.com/gitlab-org/security-products/tests/java-maven-multimodules
- https://gitlab.com/gitlab-org/security-products/tests/scala-sbt-multiproject/
Available Tier
Ultimate/Gold
What does success look like, and how can we measure that?
Users can easily access the graph exports generated by gemnasium-maven and gemnasium-python scanning jobs when these jobs fail or when they want to investigate unexpected results.
What is the type of buyer?
Is this a cross-stage feature?
No