Enable vulnerability tracking
What does this MR do?
This MR enables AVT so Java vulnerabilities can be better tracked as they move through the code.
This MR:
- Enables the tracking calculator and runs it through the custom start.sh script provided in this project
- Adds a maven fixture that includes vulnerabilities that AVT can track (the existing fixtures did not include Java vulnerabilities)
- Adds spec that uses the maven fixture and tests AVT by setting the variable
'GITLAB_FEATURES': 'vulnerability_finding_signatures' - Updates the spec function
parse_expected_reportto enable theanalyzer-refresh-expected-jsonscript - Refreshes the expected JSON
Note: spotbugs is used to scan groovy, scala and kt files. AVT doesn't support any of those languages as of https://gitlab.com/gitlab-org/security-products/post-analyzers/tracking-calculator/-/releases/v2.4.0, but spotbugs also scans Java files which AVT does support.
Adding support for kotlin is also planned https://gitlab.com/gitlab-org/gitlab/-/issues/336640
What are the relevant issue numbers?
gitlab-org/gitlab#373921 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests updated/added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Craig Smith