Merge branch '5778_rename_container_scanning_job_and_artifact-ee' into 'master'

Rename container scanning job and artifact

See merge request gitlab-org/gitlab-ee!5770

doc/ci/examples/container_scanning.md

@@ -34,9 +34,9 @@ container_scanning:
     - retries=0
     - echo "Waiting for clair daemon to start"
     - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
-    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
+    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
   artifacts:
-    paths: [gl-sast-container-report.json]
+    paths: [gl-container-scanning-report.json]
 ```
 
 The above example will create a `container_scanning` job in your CI/CD pipeline, pull
@@ -53,7 +53,14 @@ TIP: **Tip:**
 Starting with [GitLab Ultimate][ee] 10.4, this information will
 be automatically extracted and shown right in the merge request widget. To do
 so, the CI/CD job must be named `container_scanning` and the artifact path must be
-`gl-sast-container-report.json`.
+`gl-container-scanning-report.json`.
 [Learn more on container scanning results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html).
 
+CAUTION: **Caution:**
+Container Scanning was previously using `sast:container` for job name and
+`gl-sast-container-report.json` for the artifact name. While these old names
+are still maintained they have been deprecated with GitLab 11.0 and may be removed
+in next major release, GitLab 12.0. You are advised to update your current `.gitlab-ci.yml`
+configuration to reflect that change.
+
 [ee]: https://about.gitlab.com/products/

doc/user/project/merge_requests/container_scanning.md

@@ -25,20 +25,21 @@ to perform audits for your Docker-based apps.
 
 ## How it works
 
->**Note:**
-In [GitLab Ultimate][ee] 10.7, another job name has been introduced: `container_scanning`.
-This new job name will replace `sast:container` which is scheduled to be removed in
-GitLab 11.0. You are advised to update your current `.gitlab-ci.yml` configuration
-to reflect that change.
-
 In order for the report to show in the merge request, you need to specify a
 `container_scanning` job (exact name) that will analyze the code and upload the
-resulting `gl-sast-container-report.json` file as an artifact (exact filename).
+resulting `gl-container-scanning-report.json` file as an artifact (exact filename).
 GitLab will then check this file and show the information inside the merge request.
 
 For more information on how the `container_scanning` job should look like, check the
 example on [analyzing a Docker image for vulnerabilities][cc-docs].
 
+CAUTION: **Caution:**
+Container Scanning was previously using `sast:container` for job name and
+`gl-sast-container-report.json` for the artifact name. While these old names
+are still maintained they have been deprecated with GitLab 11.0 and may be removed
+in next major release, GitLab 12.0. You are advised to update your current `.gitlab-ci.yml`
+configuration to reflect that change.
+
 [ee-3672]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3672
 [ee]: https://about.gitlab.com/products/
 [ci]: ../../../ci/README.md

ee/app/models/ee/ci/build.rb

@@ -12,7 +12,9 @@ module EE
       LICENSE_MANAGEMENT_FILE = 'gl-license-report.json'.freeze
       SAST_FILE = 'gl-sast-report.json'.freeze
       PERFORMANCE_FILE = 'performance.json'.freeze
+      # SAST_CONTAINER_FILE is deprecated and replaced with CONTAINER_SCANNING_FILE (#5778)
       SAST_CONTAINER_FILE = 'gl-sast-container-report.json'.freeze
+      CONTAINER_SCANNING_FILE = 'gl-container-scanning-report.json'.freeze
       DAST_FILE = 'gl-dast-report.json'.freeze
 
       included do
@@ -21,7 +23,7 @@ module EE
         scope :sast, -> { where(name: 'sast') }
         scope :dependency_scanning, -> { where(name: 'dependency_scanning') }
         scope :license_management, -> { where(name: 'license_management') }
-        scope :sast_container, -> { where(name: %w[container_scanning sast:container]) }
+        scope :sast_container, -> { where(name: %w[sast:container container_scanning]) }
         scope :dast, -> { where(name: 'dast') }
 
         after_save :stick_build_if_status_changed
@@ -64,10 +66,15 @@ module EE
         has_artifact?(LICENSE_MANAGEMENT_FILE)
       end
 
+      # has_sast_container_json? is deprecated and replaced with has_container_scanning_json? (#5778)
       def has_sast_container_json?
         has_artifact?(SAST_CONTAINER_FILE)
       end
 
+      def has_container_scanning_json?
+        has_artifact?(CONTAINER_SCANNING_FILE)
+      end
+
       def has_dast_json?
         has_artifact?(DAST_FILE)
       end

ee/app/models/ee/ci/pipeline.rb

@@ -32,10 +32,15 @@ module EE
         @license_management_artifact ||= artifacts.license_management.find(&:has_license_management_json?)
       end
 
+      # sast_container_artifact is deprecated and replaced with container_scanning_artifact (#5778)
       def sast_container_artifact
         @sast_container_artifact ||= artifacts.sast_container.find(&:has_sast_container_json?)
       end
 
+      def container_scanning_artifact
+        @container_scanning_artifact ||= artifacts.sast_container.find(&:has_container_scanning_json?)
+      end
+
       def dast_artifact
         @dast_artifact ||= artifacts.dast.find(&:has_dast_json?)
       end
@@ -56,10 +61,15 @@ module EE
         license_management_artifact&.success?
       end
 
+      # has_sast_container_data? is deprecated and replaced with has_container_scanning_data? (#5778)
       def has_sast_container_data?
         sast_container_artifact&.success?
       end
 
+      def has_container_scanning_data?
+        container_scanning_artifact&.success?
+      end
+
       def has_dast_data?
         dast_artifact&.success?
       end
@@ -87,11 +97,17 @@ module EE
           has_license_management_data?
       end
 
+      # expose_sast_container_data? is deprecated and replaced with expose_container_scanning_data? (#5778)
       def expose_sast_container_data?
         project.feature_available?(:sast_container) &&
           has_sast_container_data?
       end
 
+      def expose_container_scanning_data?
+        project.feature_available?(:sast_container) &&
+          has_container_scanning_data?
+      end
+
       def expose_dast_data?
         project.feature_available?(:dast) &&
           has_dast_data?

ee/app/models/ee/merge_request.rb

@@ -20,8 +20,11 @@ module EE
       delegate :dependency_scanning_artifact, to: :base_pipeline, prefix: :base, allow_nil: true
       delegate :license_management_artifact, to: :head_pipeline, prefix: :head, allow_nil: true
       delegate :license_management_artifact, to: :base_pipeline, prefix: :base, allow_nil: true
+      # sast_container_artifact is deprecated and replaced with container_scanning_artifact (#5778)
       delegate :sast_container_artifact, to: :head_pipeline, prefix: :head, allow_nil: true
       delegate :sast_container_artifact, to: :base_pipeline, prefix: :base, allow_nil: true
+      delegate :container_scanning_artifact, to: :head_pipeline, prefix: :head, allow_nil: true
+      delegate :container_scanning_artifact, to: :base_pipeline, prefix: :base, allow_nil: true
       delegate :dast_artifact, to: :head_pipeline, prefix: :head, allow_nil: true
       delegate :dast_artifact, to: :base_pipeline, prefix: :base, allow_nil: true
       delegate :sha, to: :head_pipeline, prefix: :head_pipeline, allow_nil: true
@@ -29,12 +32,16 @@ module EE
       delegate :has_sast_data?, to: :base_pipeline, prefix: :base, allow_nil: true
       delegate :has_dependency_scanning_data?, to: :base_pipeline, prefix: :base, allow_nil: true
       delegate :has_license_management_data?, to: :base_pipeline, prefix: :base, allow_nil: true
+      # has_sast_container_data? is deprecated and replaced with has_container_scanning_data? (#5778)
       delegate :has_sast_container_data?, to: :base_pipeline, prefix: :base, allow_nil: true
+      delegate :has_container_scanning_data?, to: :base_pipeline, prefix: :base, allow_nil: true
       delegate :has_dast_data?, to: :base_pipeline, prefix: :base, allow_nil: true
       delegate :expose_sast_data?, to: :head_pipeline, allow_nil: true
       delegate :expose_dependency_scanning_data?, to: :head_pipeline, allow_nil: true
       delegate :expose_license_management_data?, to: :head_pipeline, allow_nil: true
+      # expose_sast_container_data? is deprecated and replaced with expose_container_scanning_data? (#5778)
       delegate :expose_sast_container_data?, to: :head_pipeline, allow_nil: true
+      delegate :expose_container_scanning_data?, to: :head_pipeline, allow_nil: true
       delegate :expose_dast_data?, to: :head_pipeline, allow_nil: true
     end
 

ee/app/serializers/ee/merge_request_widget_entity.rb

@@ -83,6 +83,7 @@ module EE
         end
       end
 
+      # expose_sast_container_data? is deprecated and replaced with expose_container_scanning_data? (#5778)
       expose :sast_container, if: -> (mr, _) { mr.expose_sast_container_data? } do
         expose :head_path, if: -> (mr, _) { can?(current_user, :read_build, mr.head_sast_container_artifact) } do |merge_request|
           raw_project_build_artifacts_url(merge_request.source_project,
@@ -97,6 +98,21 @@ module EE
         end
       end
 
+      # We still expose it as `sast_container` to keep compatibility with Frontend (#5778)
+      expose :sast_container, if: -> (mr, _) { mr.expose_container_scanning_data? } do
+        expose :head_path, if: -> (mr, _) { can?(current_user, :read_build, mr.head_container_scanning_artifact) } do |merge_request|
+          raw_project_build_artifacts_url(merge_request.source_project,
+                                          merge_request.head_container_scanning_artifact,
+                                          path: Ci::Build::CONTAINER_SCANNING_FILE)
+        end
+
+        expose :base_path, if: -> (mr, _) { mr.base_has_container_scanning_data? && can?(current_user, :read_build, mr.base_container_scanning_artifact) } do |merge_request|
+          raw_project_build_artifacts_url(merge_request.target_project,
+                                          merge_request.base_container_scanning_artifact,
+                                          path: Ci::Build::CONTAINER_SCANNING_FILE)
+        end
+      end
+
       expose :dast, if: -> (mr, _) { mr.expose_dast_data? } do
         expose :head_path, if: -> (mr, _) { can?(current_user, :read_build, mr.head_dast_artifact) } do |merge_request|
           raw_project_build_artifacts_url(merge_request.source_project,

ee/changelogs/unreleased/5778_rename_container_scanning_job_and_artifact-ee.yml

+---
+title: Rename Container Scanning job and artifact
+merge_request: 5770
+author:
+type: deprecated

ee/spec/models/ci/build_spec.rb

@@ -143,7 +143,9 @@ describe Ci::Build do
     has_sast_json?: Ci::Build::SAST_FILE,
     has_dependency_scanning_json?: Ci::Build::DEPENDENCY_SCANNING_FILE,
     has_license_management_json?: Ci::Build::LICENSE_MANAGEMENT_FILE,
+    # has_sast_container_json? is deprecated and replaced with has_container_scanning_json (#5778)
     has_sast_container_json?: Ci::Build::SAST_CONTAINER_FILE,
+    has_container_scanning_json?: Ci::Build::CONTAINER_SCANNING_FILE,
     has_dast_json?: Ci::Build::DAST_FILE
   }.freeze
 

ee/spec/models/ci/pipeline_spec.rb

@@ -17,17 +17,22 @@ describe Ci::Pipeline do
     end
   end
 
-  PIPELINE_ARTIFACTS_METHODS = {
-    codeclimate_artifact: [Ci::Build::CODEQUALITY_FILE, 'codequality'],
-    performance_artifact: [Ci::Build::PERFORMANCE_FILE, 'performance'],
-    sast_artifact: [Ci::Build::SAST_FILE, 'sast'],
-    dependency_scanning_artifact: [Ci::Build::DEPENDENCY_SCANNING_FILE, 'dependency_scanning'],
-    license_management_artifact: [Ci::Build::LICENSE_MANAGEMENT_FILE, 'license_management'],
-    sast_container_artifact: [Ci::Build::SAST_CONTAINER_FILE, 'container_scanning'],
-    dast_artifact: [Ci::Build::DAST_FILE, 'dast']
-  }.freeze
-
-  PIPELINE_ARTIFACTS_METHODS.each do |method, options|
+  PIPELINE_ARTIFACTS_METHODS = [
+    { method: :codeclimate_artifact, options: [Ci::Build::CODEQUALITY_FILE, 'codequality'] },
+    { method: :performance_artifact, options: [Ci::Build::PERFORMANCE_FILE, 'performance'] },
+    { method: :sast_artifact, options: [Ci::Build::SAST_FILE, 'sast'] },
+    { method: :dependency_scanning_artifact, options: [Ci::Build::DEPENDENCY_SCANNING_FILE, 'dependency_scanning'] },
+    { method: :license_management_artifact, options: [Ci::Build::LICENSE_MANAGEMENT_FILE, 'license_management'] },
+    # sast_container_artifact is deprecated and replaced with container_scanning_artifact (#5778)
+    { method: :sast_container_artifact, options: [Ci::Build::SAST_CONTAINER_FILE, 'sast:container'] },
+    { method: :sast_container_artifact, options: [Ci::Build::SAST_CONTAINER_FILE, 'container_scanning'] },
+    { method: :container_scanning_artifact, options: [Ci::Build::CONTAINER_SCANNING_FILE, 'sast:container'] },
+    { method: :container_scanning_artifact, options: [Ci::Build::CONTAINER_SCANNING_FILE, 'container_scanning'] },
+    { method: :dast_artifact, options: [Ci::Build::DAST_FILE, 'dast'] }
+  ].freeze
+
+  PIPELINE_ARTIFACTS_METHODS.each do |method_test|
+    method, options = method_test.values_at(:method, :options)
     describe method.to_s do
       context 'has corresponding job' do
         let!(:build) do
@@ -59,7 +64,7 @@ describe Ci::Pipeline do
     end
   end
 
-  %w(sast dast performance sast_container).each do |type|
+  %w(sast dast performance sast_container container_scanning).each do |type|
     method = "has_#{type}_data?"
 
     describe "##{method}" do
@@ -73,7 +78,7 @@ describe Ci::Pipeline do
     end
   end
 
-  %w(sast dast performance sast_container).each do |type|
+  %w(sast dast performance sast_container container_scanning).each do |type|
     method = "expose_#{type}_data?"
 
     describe "##{method}" do

ee/spec/models/merge_request_spec.rb

@@ -164,7 +164,7 @@ describe MergeRequest do
     end
   end
 
-  %w(sast dast sast_container).each do |type|
+  %w(sast dast sast_container container_scanning).each do |type|
     it { is_expected.to delegate_method(:"expose_#{type}_data?").to(:head_pipeline) }
     it { is_expected.to delegate_method(:"has_#{type}_data?").to(:base_pipeline).with_prefix(:base) }
     it { is_expected.to delegate_method(:"#{type}_artifact").to(:head_pipeline).with_prefix(:head) }

ee/spec/serializers/merge_request_widget_entity_spec.rb

@@ -83,8 +83,9 @@ describe MergeRequestWidgetEntity do
     expect(subject.as_json[:license_management]).to include(:base_path)
   end
 
-  it 'has sast_container data' do
-    build = create(:ci_build, name: 'sast:image', pipeline: pipeline)
+  # methods for old artifact are deprecated and replaced with ones for the new name (#5779)
+  it 'has sast_container data (with old artifact name gl-sast-container-report.json)' do
+    build = create(:ci_build, name: 'container_scanning', pipeline: pipeline)
 
     allow(merge_request).to receive_messages(
       expose_sast_container_data?: true,
@@ -98,6 +99,21 @@ describe MergeRequestWidgetEntity do
     expect(subject.as_json[:sast_container]).to include(:base_path)
   end
 
+  it 'has sast_container data (with new artifact name gl-container-scanning-report.json)' do
+    build = create(:ci_build, name: 'container_scanning', pipeline: pipeline)
+
+    allow(merge_request).to receive_messages(
+      expose_container_scanning_data?: true,
+      base_has_container_scanning_data?: true,
+      base_container_scanning_artifact: build,
+      head_container_scanning_artifact: build
+    )
+
+    expect(subject.as_json).to include(:sast_container)
+    expect(subject.as_json[:sast_container]).to include(:head_path)
+    expect(subject.as_json[:sast_container]).to include(:base_path)
+  end
+
   it 'has dast data' do
     build = create(:ci_build, name: 'dast', pipeline: pipeline)
 

vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml

@@ -136,7 +136,7 @@ dependency_scanning:
   artifacts:
     paths: [gl-dependency-scanning-report.json]
 
-sast:container:
+container_scanning:
   image: docker:stable
   variables:
     DOCKER_DRIVER: overlay2
@@ -145,9 +145,9 @@ sast:container:
     - docker:stable-dind
   script:
     - setup_docker
-    - sast_container
+    - container_scanning
   artifacts:
-    paths: [gl-sast-container-report.json]
+    paths: [gl-container-scanning-report.json]
 
 dast:
   stage: dast
@@ -388,7 +388,7 @@ rollout 100%:
   # Extract "MAJOR.MINOR" from CI_SERVER_VERSION and generate "MAJOR-MINOR-stable" for Security Products
   export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
 
-  function sast_container() {
+  function container_scanning() {
     if [[ -n "$CI_REGISTRY_USER" ]]; then
       echo "Logging to GitLab Container Registry with CI credentials..."
       docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
@@ -406,7 +406,7 @@ rollout 100%:
     retries=0
     echo "Waiting for clair daemon to start"
     while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
-    ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
+    ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
   }
 
   function codeclimate() {