Merge branch '335789-validate-against-vendored-schemas' into 'master'

Validate against vendored schemas See merge request gitlab-org/gitlab!83478

Merge branch '335789-validate-against-vendored-schemas' into 'master'
Validate against vendored schemas See merge request gitlab-org/gitlab!83478
fcbc452f · James Fargher · 0bd90233 · c03aa7d1 · fcbc452f · fcbc452f
Commit fcbc452f authored Mar 30, 2022 by James Fargher
4 changed files
--- a/config/feature_flags/development/enforce_security_report_validation.yml
+++ b/config/feature_flags/development/enforce_security_report_validation.yml
+---
+name: enforce_security_report_validation
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/351000
+milestone: '14.9'
+type: development
+group: group::threat insights
+default_enabled: false
--- a/ee/spec/lib/ee/gitlab/ci/parsers/security/validators/schema_validator_spec.rb
+++ b/ee/spec/lib/ee/gitlab/ci/parsers/security/validators/schema_validator_spec.rb
@@ -5,17 +5,17 @@ require 'spec_helper'
 RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
  using RSpec::Parameterized::TableSyntax

-  where(:report_type, :expected_errors, :valid_data) do
-    :cluster_image_scanning     | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
-    :container_scanning         | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
-    :coverage_fuzzing           | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
-    :dast                       | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
-    :dependency_scanning        | ['root is missing required keys: dependency_files, vulnerabilities'] | { 'version' => '10.0.0', 'vulnerabilities' => [], 'dependency_files' => [] }
-    :api_fuzzing                | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
+  where(:report_type, :expected_errors, :expected_warnings, :valid_data) do
+    :cluster_image_scanning     | ['root is missing required keys: vulnerabilities']                   | lazy { expected_warnings_array } | { 'version' => '10.0.0', 'vulnerabilities' => [] }
+    :container_scanning         | ['root is missing required keys: vulnerabilities']                   | lazy { expected_warnings_array } | { 'version' => '10.0.0', 'vulnerabilities' => [] }
+    :coverage_fuzzing           | ['root is missing required keys: vulnerabilities']                   | lazy { expected_warnings_array } | { 'version' => '10.0.0', 'vulnerabilities' => [] }
+    :dast                       | ['root is missing required keys: vulnerabilities']                   | lazy { expected_warnings_array } | { 'version' => '10.0.0', 'vulnerabilities' => [] }
+    :dependency_scanning        | ['root is missing required keys: dependency_files, vulnerabilities'] | lazy { expected_warnings_array } | { 'version' => '10.0.0', 'vulnerabilities' => [], 'dependency_files' => [] }
+    :api_fuzzing                | ['root is missing required keys: vulnerabilities']                   | lazy { expected_warnings_array } | { 'version' => '10.0.0', 'vulnerabilities' => [] }
  end

  with_them do
-    let(:validator) { described_class.new(report_type, report_data) }
+    let(:validator) { described_class.new(report_type, report_data, valid_data['version']) }

    describe '#valid?' do
      subject { validator.valid? }
@@ -33,6 +33,22 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
      end
    end

+    describe '#warnings' do
+      subject { validator.warnings }
+
+      context 'when given data is valid according to the schema' do
+        let(:report_data) { valid_data }
+        let(:supported_version) { described_class::SUPPORTED_VERSIONS[report_type].join(", ") }
+        let(:expected_warnings_array) do
+          [
+            "Version 10.0.0 for report type #{report_type} has been deprecated, supported versions for this report type are: #{supported_version}"
+          ]
+        end
+
+        it { is_expected.to eq(expected_warnings) }
+      end
+    end
+
    describe '#errors' do
      let(:report_data) { { 'version' => '10.0.0' } }


--- a/lib/gitlab/ci/parsers/security/validators/schema_validator.rb
+++ b/lib/gitlab/ci/parsers/security/validators/schema_validator.rb
@@ -87,19 +87,80 @@ module Gitlab
            end

            def initialize(report_type, report_data, report_version = nil)
-              @report_type = report_type
+              @report_type = report_type&.to_sym
              @report_data = report_data
              @report_version = report_version
+              @errors = []
+              @warnings = []
+
+              populate_errors
+              populate_warnings
            end

            def valid?
              errors.empty?
            end

-            def errors
-              @errors ||= schema.validate(report_data).map { |error| JSONSchemer::Errors.pretty(error) }
+            def populate_errors
+              if Feature.enabled?(:enforce_security_report_validation)
+                @errors += schema.validate(report_data).map { |error| JSONSchemer::Errors.pretty(error) }
+              else
+                @warnings += schema.validate(report_data).map { |error| JSONSchemer::Errors.pretty(error) }
+              end
+            end
+
+            def populate_warnings
+              add_deprecated_report_version_message if report_uses_deprecated_schema_version?
+              add_unsupported_report_version_message if !report_uses_supported_schema_version? && !report_uses_deprecated_schema_version?
+            end
+
+            def add_deprecated_report_version_message
+              message = "Version #{report_version} for report type #{report_type} has been deprecated, supported versions for this report type are: #{supported_schema_versions}"
+              add_message_as(level: :warning, message: message)
            end

+            def add_unsupported_report_version_message
+              if Feature.enabled?(:enforce_security_report_validation)
+                handle_unsupported_report_version(treat_as: :error)
+              else
+                handle_unsupported_report_version(treat_as: :warning)
+              end
+            end
+
+            def report_uses_deprecated_schema_version?
+              DEPRECATED_VERSIONS[report_type].include?(report_version)
+            end
+
+            def report_uses_supported_schema_version?
+              SUPPORTED_VERSIONS[report_type].include?(report_version)
+            end
+
+            def handle_unsupported_report_version(treat_as:)
+              if report_version.nil?
+                message = "Report version not provided, #{report_type} report type supports versions: #{supported_schema_versions}"
+                add_message_as(level: treat_as, message: message)
+              else
+                message = "Version #{report_version} for report type #{report_type} is unsupported, supported versions for this report type are: #{supported_schema_versions}"
+              end
+
+              add_message_as(level: treat_as, message: message)
+            end
+
+            def supported_schema_versions
+              SUPPORTED_VERSIONS[report_type].join(", ")
+            end
+
+            def add_message_as(level:, message:)
+              case level
+              when :error
+                @errors << message
+              when :warning
+                @warnings << message
+              end
+            end
+
+            attr_reader :errors, :warnings
+
            private

            attr_reader :report_type, :report_data, :report_version

--- a/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb
+++ b/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb