Link to gemnasium-db project
What does this MR do?
In the generated report, change the URL of the primary identifier (specific to Gemnasium) to link to gemnasium-db. This can be overridden using GEMNASIUM_DB_WEB_URL. The URL points to the exact YAML file, in the exact branch used to synchronized the local git clone of gemnasium-db.
Prior to this change, the primary identifier linked to https://deps.sec.gitlab.com/, which is no longer available.
As a side effect, the options for the Repo.Update() method are now fields of the Repo struct. That's because the Repo now represents what we know about a repo, and it doesn't make sense to keep the update options separately.
Another side effect is that the git ref (AKA "ref name") is now required, since it's needed to calculate the URL of the advisory.
Diff in QA job of tests/go-modules:
--- qa/expect/gl-dependency-scanning-report-sanitized.json
+++ gl-dependency-scanning-report-sanitized.json
@@ -26,7 +26,7 @@
"type": "gemnasium",
"name": "Gemnasium-7368f513-0aa9-4e34-a08d-40ea81f48e0e",
"value": "7368f513-0aa9-4e34-a08d-40ea81f48e0e",
- "url": "https://deps.sec.gitlab.com/packages/go/gopkg.in/yaml.v2/versions/v2.2.2/advisories"
+ "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/2020-01-15/go/gopkg.in/yaml.v2/GMS-2019-2.yml"
}
],
"links": [It now links to https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/2020-01-15/go/gopkg.in/yaml.v2/GMS-2019-2.yml, as expected.
What are the relevant issue numbers?
gitlab-org/gitlab#34694 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added - [-] Documentation created/updated for GitLab EE, if necessary
- [-] Documentation created/updated for this project, if necessary
- [-] Documentation reviewed by technical writer or follow-up review issue created
-
Tests added for this feature/bug - [-] Job definition updated, if necessary
-
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer