Fix gemnasium-db checkout
What does this MR do?
Fixes issue with checking out gemnasium-db when scan-time and build-time ref arguments match.
The new approach changes the following:
- in the case of tags and commit hashes, nothing is changed and a checkout is done as before
- in the case of branches,
gemnasiumchecks whether the HEAD is deatched, and if it's not it issues agit pullto make sure the db is up to date
There's an extra piece of code added to output a debug line during db update to show the commit id at HEAD.
Testing
The test branch ci config on go-modules works by updating gemnasiums' docker image with a new local remote and then adding a new vulnerability in that remote (but not in the image's checked out repo (/gemnasium-db). This simulates the issue of build time vs scan time updates.
Two reports (one against latest tag and one against the image in this branch) are generated and compared. The one against the latest image does not get the new vuln, while the image from this branch correctly updates and generates the image.
Tests:
- Failing pipeline when comparing latest tag against itself: https://gitlab.com/gitlab-org/security-products/tests/go-modules/-/pipelines/249889381
- Passing pipeline when comparing latest tag against docker image in this branch: https://gitlab.com/gitlab-org/security-products/tests/go-modules/-/pipelines/249890130
What are the relevant issue numbers?
gitlab-org/gitlab#294296 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer