Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
f408212c
Commit
f408212c
authored
Dec 20, 2021
by
Thiago Figueiró
Committed by
Mayra Cabrera
Dec 20, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Remove improved_container_scan_matching feature flag
parent
8ce5dfe2
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
64 additions
and
164 deletions
+64
-164
config/feature_flags/development/improved_container_scan_matching.yml
...re_flags/development/improved_container_scan_matching.yml
+0
-8
ee/lib/gitlab/ci/parsers/security/container_scanning.rb
ee/lib/gitlab/ci/parsers/security/container_scanning.rb
+1
-8
ee/lib/gitlab/ci/reports/security/locations/container_scanning.rb
...itlab/ci/reports/security/locations/container_scanning.rb
+4
-16
ee/spec/lib/gitlab/ci/parsers/security/container_scanning_spec.rb
...lib/gitlab/ci/parsers/security/container_scanning_spec.rb
+20
-48
ee/spec/lib/gitlab/ci/reports/security/locations/container_scanning_spec.rb
.../ci/reports/security/locations/container_scanning_spec.rb
+39
-84
No files found.
config/feature_flags/development/improved_container_scan_matching.yml
deleted
100644 → 0
View file @
8ce5dfe2
---
name
:
improved_container_scan_matching
introduced_by_url
:
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73486
rollout_issue_url
:
https://gitlab.com/gitlab-org/gitlab/-/issues/344534
milestone
:
'
14.6'
type
:
development
group
:
group::container security
default_enabled
:
true
ee/lib/gitlab/ci/parsers/security/container_scanning.rb
View file @
f408212c
...
...
@@ -13,22 +13,15 @@ module Gitlab
operating_system:
location_data
[
'operating_system'
],
package_name:
location_data
.
dig
(
'dependency'
,
'package'
,
'name'
),
package_version:
location_data
.
dig
(
'dependency'
,
'version'
),
default_branch_image:
default_branch_image
(
location_data
),
improved_container_scan_matching_enabled:
improved_container_scan_matching_enabled?
default_branch_image:
default_branch_image
(
location_data
)
)
end
def
default_branch_image
(
location_data
)
return
unless
improved_container_scan_matching_enabled?
return
if
@report
.
pipeline
.
default_branch?
location_data
[
'default_branch_image'
]
end
def
improved_container_scan_matching_enabled?
Feature
.
enabled?
(
:improved_container_scan_matching
,
@report
.
pipeline
.
project
,
default_enabled: :yaml
)
end
end
end
end
...
...
ee/lib/gitlab/ci/reports/security/locations/container_scanning.rb
View file @
f408212c
...
...
@@ -17,38 +17,26 @@ module Gitlab
operating_system
:,
package_name:
nil
,
package_version:
nil
,
default_branch_image:
nil
,
improved_container_scan_matching_enabled:
false
default_branch_image:
nil
)
@image
=
image
@operating_system
=
operating_system
@package_name
=
package_name
@package_version
=
package_version
@default_branch_image
=
default_branch_image
@improved_container_scan_matching_enabled
=
improved_container_scan_matching_enabled
end
def
fingerprint_data
"
#{
docker_image_name_without_tag
}
:
#{
package_name
}
"
end
def
improved_container_scan_matching_enabled?
@improved_container_scan_matching_enabled
end
private
def
docker_image_name_without_tag
if
improved_container_scan_matching_enabled?
image_name
=
default_branch_image
.
presence
||
image
base_name
,
_
,
version
=
image_name
.
rpartition
(
':'
)
image_name
=
default_branch_image
.
presence
||
image
base_name
,
_
,
version
=
image_name
.
rpartition
(
':'
)
return
image_name
if
version_semver_like?
(
version
)
else
base_name
,
version
=
image
.
split
(
':'
)
return
image
if
version_semver_like?
(
version
)
end
return
image_name
if
version_semver_like?
(
version
)
base_name
end
...
...
ee/spec/lib/gitlab/ci/parsers/security/container_scanning_spec.rb
View file @
f408212c
...
...
@@ -42,63 +42,35 @@ RSpec.describe Gitlab::Ci::Parsers::Security::ContainerScanning do
end
describe
'#parse!'
do
context
'when improved_container_scan_matching is disabled'
do
before
do
stub_feature_flags
(
improved_container_scan_matching:
false
)
artifact
.
each_blob
{
|
blob
|
described_class
.
parse!
(
blob
,
report
)
}
end
it_behaves_like
'report'
context
'when not on default branch'
do
let
(
:current_branch
)
{
'not-default'
}
it
'does not include default_branch_image'
do
location
=
report
.
findings
.
first
.
location
expect
(
location
).
to
be_a
(
::
Gitlab
::
Ci
::
Reports
::
Security
::
Locations
::
ContainerScanning
)
expect
(
location
).
to
have_attributes
(
default_branch_image:
nil
,
improved_container_scan_matching_enabled?:
false
)
end
end
before
do
artifact
.
each_blob
{
|
blob
|
described_class
.
parse!
(
blob
,
report
)
}
end
context
'when improved_container_scan_matching is enabled'
do
before
do
stub_feature_flags
(
improved_container_scan_matching:
true
)
artifact
.
each_blob
{
|
blob
|
described_class
.
parse!
(
blob
,
report
)
}
end
it_behaves_like
'report'
it_behaves_like
'report'
context
'when on default branch'
do
let
(
:current_branch
)
{
project
.
default_branch
}
context
'when on default branch'
do
let
(
:current_branch
)
{
project
.
default_branch
}
it
'does not include default_branch_image in location'
do
location
=
report
.
findings
.
first
.
location
it
'does not include default_branch_image in location'
do
location
=
report
.
findings
.
first
.
location
expect
(
location
).
to
be_a
(
::
Gitlab
::
Ci
::
Reports
::
Security
::
Locations
::
ContainerScanning
)
expect
(
location
).
to
have_attributes
(
default_branch_image:
nil
,
improved_container_scan_matching_enabled?:
true
)
end
expect
(
location
).
to
be_a
(
::
Gitlab
::
Ci
::
Reports
::
Security
::
Locations
::
ContainerScanning
)
expect
(
location
).
to
have_attributes
(
default_branch_image:
nil
)
end
end
context
'when not on default branch'
do
let
(
:current_branch
)
{
'not-default'
}
context
'when not on default branch'
do
let
(
:current_branch
)
{
'not-default'
}
it
'includes default_branch_image in location'
do
location
=
report
.
findings
.
first
.
location
it
'includes default_branch_image in location'
do
location
=
report
.
findings
.
first
.
location
expect
(
location
).
to
be_a
(
::
Gitlab
::
Ci
::
Reports
::
Security
::
Locations
::
ContainerScanning
)
expect
(
location
).
to
have_attributes
(
default_branch_image:
default_branch_image
,
improved_container_scan_matching_enabled?:
true
)
end
expect
(
location
).
to
be_a
(
::
Gitlab
::
Ci
::
Reports
::
Security
::
Locations
::
ContainerScanning
)
expect
(
location
).
to
have_attributes
(
default_branch_image:
default_branch_image
)
end
end
end
...
...
ee/spec/lib/gitlab/ci/reports/security/locations/container_scanning_spec.rb
View file @
f408212c
...
...
@@ -23,102 +23,57 @@ RSpec.describe Gitlab::Ci::Reports::Security::Locations::ContainerScanning do
describe
'fingerprint'
do
sha1_of
=
->
(
input
)
{
Digest
::
SHA1
.
hexdigest
(
input
)
}
context
'with feature enabled'
do
where
(
:image
,
:default_branch_image
,
:expected_fingerprint_input
)
do
where
(
:image
,
:default_branch_image
,
:expected_fingerprint_input
)
do
[
[
'alpine:3.7.3'
,
nil
,
'alpine:3.7.3:glibc'
],
[
'alpine:3.7'
,
nil
,
'alpine:3.7:glibc'
],
[
'alpine:8101518288111119448185914762536722131810'
,
nil
,
'alpine:glibc'
],
[
'alpine:1.0.0-beta'
,
nil
,
'alpine:1.0.0-beta:glibc'
],
[
[
'alpine:3.7.3'
,
nil
,
'alpine:3.7.3:glibc'
],
[
'alpine:3.7'
,
nil
,
'alpine:3.7:glibc'
],
[
'alpine:8101518288111119448185914762536722131810'
,
nil
,
'alpine:glibc'
],
[
'alpine:1.0.0-beta'
,
nil
,
'alpine:1.0.0-beta:glibc'
],
[
'gdk.local:5000/group/project/branch:307e0a35643f63652a713d0820db7c388012f724'
,
nil
,
'gdk.local:5000/group/project/branch:glibc'
],
[
'registry.gitlab.com/group/project/tmp:af864bd61230d3d694eb01d6205b268b4ad63ac0'
,
nil
,
'registry.gitlab.com/group/project/tmp:glibc'
],
[
'registry.gitlab.com/group/project/feature:5b1a4a921d7a50c3757aae3f7df2221878775af4'
,
'registry.gitlab.com/group/project/master:ec301f43f14a2b477806875e49cfc4d3fa0d22c3'
,
'registry.gitlab.com/group/project/master:glibc'
],
[
'registry.gitlab.com/group/project/feature:d6704dc0b8e33fb550a86f7847d6a3036d4f8bd5'
,
'registry.gitlab.com/group/project:latest'
,
'registry.gitlab.com/group/project:glibc'
],
[
'registry.gitlab.com/group/project@sha256:a418bbb80b9411f9a08025baa4681e192aaafd16505039bdcb113ccdb90a88fd'
,
'registry.gitlab.com/group/project:latest'
,
'registry.gitlab.com/group/project:glibc'
],
[
'registry.gitlab.com/group/project/feature:latest'
,
'registry.gitlab.com/group/project:1.0.0'
,
'registry.gitlab.com/group/project:1.0.0:glibc'
]
'gdk.local:5000/group/project/branch:307e0a35643f63652a713d0820db7c388012f724'
,
nil
,
'gdk.local:5000/group/project/branch:glibc'
],
[
'registry.gitlab.com/group/project/tmp:af864bd61230d3d694eb01d6205b268b4ad63ac0'
,
nil
,
'registry.gitlab.com/group/project/tmp:glibc'
],
[
'registry.gitlab.com/group/project/feature:5b1a4a921d7a50c3757aae3f7df2221878775af4'
,
'registry.gitlab.com/group/project/master:ec301f43f14a2b477806875e49cfc4d3fa0d22c3'
,
'registry.gitlab.com/group/project/master:glibc'
],
[
'registry.gitlab.com/group/project/feature:d6704dc0b8e33fb550a86f7847d6a3036d4f8bd5'
,
'registry.gitlab.com/group/project:latest'
,
'registry.gitlab.com/group/project:glibc'
],
[
'registry.gitlab.com/group/project@sha256:a418bbb80b9411f9a08025baa4681e192aaafd16505039bdcb113ccdb90a88fd'
,
'registry.gitlab.com/group/project:latest'
,
'registry.gitlab.com/group/project:glibc'
],
[
'registry.gitlab.com/group/project/feature:latest'
,
'registry.gitlab.com/group/project:1.0.0'
,
'registry.gitlab.com/group/project:1.0.0:glibc'
]
end
with_them
do
let
(
:params
)
do
{
image:
image
,
default_branch_image:
default_branch_image
,
operating_system:
'debian:9'
,
package_name:
'glibc'
,
package_version:
'1.2.3'
,
improved_container_scan_matching_enabled:
true
}
end
specify
{
expect
(
subject
.
fingerprint
).
to
eq
(
sha1_of
.
call
(
expected_fingerprint_input
))
}
end
]
end
context
'with feature disabled'
do
with_them
do
let
(
:params
)
do
{
image:
'registry.gitlab.com/group/project/feature:ec301f43f14a2b477806875e49cfc4d3fa0d22c3'
,
default_branch_image:
'registry.gitlab.com/group/project/master:ec301f43f14a2b477806875e49cfc4d3fa0d22c3'
,
image:
image
,
default_branch_image:
default_branch_image
,
operating_system:
'debian:9'
,
package_name:
'glibc'
,
package_version:
'1.2.3'
}
end
it
'ignores default_branch_image'
do
expect
(
subject
.
fingerprint
).
to
eq
(
sha1_of
.
call
(
'registry.gitlab.com/group/project/feature:glibc'
))
end
where
(
:image
,
:expected_fingerprint_input
)
do
[
[
'alpine:3.7.3'
,
'alpine:3.7.3:glibc'
],
[
'alpine:3.7'
,
'alpine:3.7:glibc'
],
[
'alpine:8101518288111119448185914762536722131810'
,
'alpine:glibc'
],
[
'alpine:1.0.0-beta'
,
'alpine:1.0.0-beta:glibc'
],
[
'registry.gitlab.com/group/project/tmp:af864bd61230d3d694eb01d6205b268b4ad63ac0'
,
'registry.gitlab.com/group/project/tmp:glibc'
]
]
end
with_them
do
let
(
:params
)
do
{
image:
image
,
operating_system:
'debian:9'
,
package_name:
'glibc'
,
package_version:
'1.2.3'
}
end
specify
{
expect
(
subject
.
fingerprint
).
to
eq
(
sha1_of
.
call
(
expected_fingerprint_input
))
}
end
specify
{
expect
(
subject
.
fingerprint
).
to
eq
(
sha1_of
.
call
(
expected_fingerprint_input
))
}
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment