Enforce schema validation for security reports

Changelog: changed EE: true

Enforce schema validation for security reports
Changelog: changed EE: true
27b25fe8 · Michał Zając · e02fa0fd · 27b25fe8 · 27b25fe8 · 27b25fe8
Commit 27b25fe8 authored Mar 22, 2022 by Michał Zając
4 changed files
--- a/config/feature_flags/development/enforce_security_report_validation.yml
+++ b/config/feature_flags/development/enforce_security_report_validation.yml
+---
+name: enforce_security_report_validation
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/351000
+milestone: '14.9'
+type: development
+group: group::threat insights
+default_enabled: false
--- a/ee/app/models/ee/ci/build.rb
+++ b/ee/app/models/ee/ci/build.rb
@@ -183,7 +183,11 @@ module EE
      end

      def validate_schema?
-        variables[VALIDATE_SCHEMA_VARIABLE_NAME]&.value&.casecmp?('true')
+        if ::Feature.enabled?(:enforce_security_report_validation, project)
+          true
+        else
+          variables[VALIDATE_SCHEMA_VARIABLE_NAME]&.value&.casecmp?('true')
+        end
      end

      private

--- a/ee/spec/models/ci/build_spec.rb
+++ b/ee/spec/models/ci/build_spec.rb
@@ -738,23 +738,55 @@ RSpec.describe Ci::Build, :saas do
      ci_build.yaml_variables = variables
    end

-    context 'when the yaml variables does not have the configuration' do
-      let(:variables) { [] }
+    context 'when enforce_security_report_validation is enabled' do
+      before do
+        stub_feature_flags(enforce_security_report_validation: true)
+      end

-      it { is_expected.to be_falsey }
+      context 'when the yaml variables does not have the configuration' do
+        let(:variables) { [] }
+
+        it { is_expected.to be_truthy }
+      end
+
+      context 'when the yaml variables has the configuration' do
+        context 'when the configuration is set as `false`' do
+          let(:variables) { [{ key: 'VALIDATE_SCHEMA', value: 'false' }] }
+
+          it { is_expected.to be_truthy }
+        end
+
+        context 'when the configuration is set as `true`' do
+          let(:variables) { [{ key: 'VALIDATE_SCHEMA', value: 'true' }] }
+
+          it { is_expected.to be_truthy }
+        end
+      end
    end

-    context 'when the yaml variables has the configuration' do
-      context 'when the configuration is set as `false`' do
-        let(:variables) { [{ key: 'VALIDATE_SCHEMA', value: 'false' }] }
+    context 'when enforce_security_report_validation is disabled' do
+      before do
+        stub_feature_flags(enforce_security_report_validation: false)
+      end
+
+      context 'when the yaml variables does not have the configuration' do
+        let(:variables) { [] }

        it { is_expected.to be_falsey }
      end

-      context 'when the configuration is set as `true`' do
-        let(:variables) { [{ key: 'VALIDATE_SCHEMA', value: 'true' }] }
+      context 'when the yaml variables has the configuration' do
+        context 'when the configuration is set as `false`' do
+          let(:variables) { [{ key: 'VALIDATE_SCHEMA', value: 'false' }] }

-        it { is_expected.to be_truthy }
+          it { is_expected.to be_falsey }
+        end
+
+        context 'when the configuration is set as `true`' do
+          let(:variables) { [{ key: 'VALIDATE_SCHEMA', value: 'true' }] }
+
+          it { is_expected.to be_truthy }
+        end
      end
    end
  end

--- a/ee/spec/services/security/store_grouped_scans_service_spec.rb
+++ b/ee/spec/services/security/store_grouped_scans_service_spec.rb
@@ -91,12 +91,65 @@ RSpec.describe Security::StoreGroupedScansService do
      end

      context 'when the artifacts are not dependency_scanning' do
-        it 'calls the Security::StoreScanService with ordered artifacts' do
-          store_scan_group
+        context 'when enforce_security_report_validation is enabled' do
+          before do
+            stub_feature_flags(enforce_security_report_validation: true)
+          end

-          expect(Security::StoreScanService).to have_received(:execute).with(artifact_1, empty_set, false).ordered
-          expect(Security::StoreScanService).to have_received(:execute).with(artifact_2, empty_set, true).ordered
-          expect(Security::StoreScanService).to have_received(:execute).with(artifact_3, empty_set, true).ordered
+          context "and reports doesn't pass schema validation" do
+            it 'calls the Security::StoreScanService with ordered artifacts' do
+              store_scan_group
+
+              expect(Security::StoreScanService).to have_received(:execute).with(artifact_3, empty_set, false).ordered
+              expect(Security::StoreScanService).to have_received(:execute).with(artifact_2, empty_set, true).ordered
+              expect(Security::StoreScanService).to have_received(:execute).with(artifact_1, empty_set, true).ordered
+            end
+          end
+
+          context "some of the reports don't pass schema validation" do
+            let_it_be(:valid_artifact_1) { create(:ee_ci_job_artifact, :dast_14_0_2, job: create(:ee_ci_build)) }
+            let_it_be(:valid_artifact_2) { create(:ee_ci_job_artifact, :dast_14_0_2, job: create(:ee_ci_build)) }
+
+            let(:artifacts) { [valid_artifact_1, valid_artifact_2, artifact_1] }
+
+            it 'calls the Security::StoreScanService with correctly ordered artifacts' do
+              store_scan_group
+
+              expect(Security::StoreScanService).to have_received(:execute).with(valid_artifact_1, empty_set, false).ordered
+              expect(Security::StoreScanService).to have_received(:execute).with(valid_artifact_2, empty_set, true).ordered
+              expect(Security::StoreScanService).to have_received(:execute).with(artifact_1, empty_set, true).ordered
+            end
+          end
+
+          context 'and report does pass schema validation' do
+            let_it_be(:valid_artifact_1) { create(:ee_ci_job_artifact, :dast_14_0_2, job: create(:ee_ci_build)) }
+            let_it_be(:valid_artifact_2) { create(:ee_ci_job_artifact, :dast_14_0_2, job: create(:ee_ci_build)) }
+            let_it_be(:valid_artifact_3) { create(:ee_ci_job_artifact, :dast_14_0_2, job: create(:ee_ci_build)) }
+
+            let(:artifacts) { [valid_artifact_1, valid_artifact_2, valid_artifact_3] }
+
+            it 'calls the Security::StoreScanService with ordered artifacts' do
+              store_scan_group
+
+              expect(Security::StoreScanService).to have_received(:execute).with(valid_artifact_1, empty_set, false).ordered
+              expect(Security::StoreScanService).to have_received(:execute).with(valid_artifact_2, empty_set, true).ordered
+              expect(Security::StoreScanService).to have_received(:execute).with(valid_artifact_3, empty_set, true).ordered
+            end
+          end
+        end
+
+        context 'when enforce_security_report_validation is disabled' do
+          before do
+            stub_feature_flags(enforce_security_report_validation: false)
+          end
+
+          it 'calls the Security::StoreScanService with ordered artifacts' do
+            store_scan_group
+
+            expect(Security::StoreScanService).to have_received(:execute).with(artifact_1, empty_set, false).ordered
+            expect(Security::StoreScanService).to have_received(:execute).with(artifact_2, empty_set, true).ordered
+            expect(Security::StoreScanService).to have_received(:execute).with(artifact_3, empty_set, true).ordered
+          end
        end
      end