Merge branch '350993-implement-a-security-report-schema-deprecation-mechanism' into 'master'

Add SUPPORTED_VERSIONS and DEPRECATED_VERSIONS to SchemaValidator See merge request gitlab-org/gitlab!80498

Merge branch '350993-implement-a-security-report-schema-deprecation-mechanism' into 'master'
Add SUPPORTED_VERSIONS and DEPRECATED_VERSIONS to SchemaValidator See merge request gitlab-org/gitlab!80498
b5daae7b · Sincheol (David) Kim · 4885028e · 27691c6c · b5daae7b · b5daae7b
Commit b5daae7b authored Feb 18, 2022 by Sincheol (David) Kim
2 changed files
--- a/lib/gitlab/ci/parsers/security/validators/schema_validator.rb
+++ b/lib/gitlab/ci/parsers/security/validators/schema_validator.rb
@@ -6,6 +6,41 @@ module Gitlab
      module Security
        module Validators
          class SchemaValidator
+            # https://docs.gitlab.com/ee/update/deprecations.html#147
+            SUPPORTED_VERSIONS = {
+              cluster_image_scanning: %w[14.0.4 14.0.5 14.0.6 14.1.0],
+              container_scanning: %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0],
+              coverage_fuzzing: %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0],
+              dast: %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0],
+              api_fuzzing: %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0],
+              dependency_scanning: %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0],
+              sast: %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0],
+              secret_detection: %w[14.0.0 14.0.1 14.0.2 14.0.3 14.0.4 14.0.5 14.0.6 14.1.0]
+            }.freeze
+
+            # https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/tags
+            PREVIOUS_RELEASES = %w[10.0.0 12.0.0 12.1.0 13.0.0
+                                   13.1.0 2.3.0-rc1 2.3.0-rc1 2.3.1-rc1 2.3.2-rc1 2.3.3-rc1
+                                   2.4.0-rc1 3.0.0 3.0.0-rc1 3.1.0-rc1 4.0.0-rc1 5.0.0-rc1
+                                   5.0.1-rc1 6.0.0-rc1 6.0.1-rc1 6.1.0-rc1 7.0.0-rc1 7.0.1-rc1
+                                   8.0.0-rc1 8.0.1-rc1 8.1.0-rc1 9.0.0-rc1].freeze
+
+            # These come from https://app.periscopedata.com/app/gitlab/895813/Secure-Scan-metrics?widget=12248944&udv=1385516
+            KNOWN_VERSIONS_TO_DEPRECATE = %w[0.1 1.0 1.0.0 1.2 1.3 10.0.0 12.1.0 13.1.0 2.0 2.1 2.1.0 2.3 2.3.0 2.4 3.0 3.0.0 3.0.6 3.13.2 V2.7.0].freeze
+
+            VERSIONS_TO_DEPRECATE_IN_15_0 = (PREVIOUS_RELEASES + KNOWN_VERSIONS_TO_DEPRECATE).freeze
+
+            DEPRECATED_VERSIONS = {
+              cluster_image_scanning: VERSIONS_TO_DEPRECATE_IN_15_0,
+              container_scanning: VERSIONS_TO_DEPRECATE_IN_15_0,
+              coverage_fuzzing: VERSIONS_TO_DEPRECATE_IN_15_0,
+              dast: VERSIONS_TO_DEPRECATE_IN_15_0,
+              api_fuzzing: VERSIONS_TO_DEPRECATE_IN_15_0,
+              dependency_scanning: VERSIONS_TO_DEPRECATE_IN_15_0,
+              sast: VERSIONS_TO_DEPRECATE_IN_15_0,
+              secret_detection: VERSIONS_TO_DEPRECATE_IN_15_0
+            }.freeze
+
            class Schema
              def root_path
                File.join(__dir__, 'schemas')

--- a/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb
+++ b/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb
@@ -3,6 +3,50 @@
 require 'spec_helper'

 RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
+  describe 'SUPPORTED_VERSIONS' do
+    schema_path = Rails.root.join("lib", "gitlab", "ci", "parsers", "security", "validators", "schemas")
+
+    it 'matches DEPRECATED_VERSIONS keys' do
+      expect(described_class::SUPPORTED_VERSIONS.keys).to eq(described_class::DEPRECATED_VERSIONS.keys)
+    end
+
+    context 'files under schema path are explicitly listed' do
+      # We only care about the part that comes before report-format.json
+      # https://rubular.com/r/N8Juz7r8hYDYgD
+      filename_regex = /(?<report_type>[-\w]*)\-report-format.json/
+
+      versions = Dir.glob(File.join(schema_path, "*", File::SEPARATOR)).map { |path| path.split("/").last }
+
+      versions.each do |version|
+        files = Dir[schema_path.join(version, "*.json")]
+
+        files.each do |file|
+          matches = filename_regex.match(file)
+          report_type = matches[:report_type].tr("-", "_").to_sym
+
+          it "#{report_type} #{version}" do
+            expect(described_class::SUPPORTED_VERSIONS[report_type]).to include(version)
+          end
+        end
+      end
+    end
+
+    context 'every SUPPORTED_VERSION has a corresponding JSON file' do
+      described_class::SUPPORTED_VERSIONS.each_key do |report_type|
+        # api_fuzzing is covered by DAST schema
+        next if report_type == :api_fuzzing
+
+        described_class::SUPPORTED_VERSIONS[report_type].each do |version|
+          it "#{report_type} #{version} schema file is present" do
+            filename = "#{report_type.to_s.tr("_", "-")}-report-format.json"
+            full_path = schema_path.join(version, filename)
+            expect(File.file?(full_path)).to be true
+          end
+        end
+      end
+    end
+  end
+
  using RSpec::Parameterized::TableSyntax

  where(:report_type, :expected_errors, :valid_data) do