Add job integration test to ensure that CycloneDX documents are uploaded as CI artifacts
Problem to solve
Now that gemnasium outputs CycloneDX reports, we need to add a job integration test to ensure that CycloneDX documents are uploaded as CI artifacts, as implemented in Add CycloneDX reports to DS template uploads CycloneDX documents as CI artifacts.
See this discussion for more details, and this MR for a starting point.
Proposal
Here are a few different approaches we can use:
- Update the
scriptsection of the qa-dependency_scanning job to look for the presence of a new variable which is passed fromgemnasium,gemnasium-mavenandgemnasium-pythonand contains a list of expectedCycloneDXartifact paths. Theqa-dependency_scanningjob will then check to make sure these artifact files exist. See this discussion for more details. - Wait until Draft: Test Graph testing has been merged, then add a check to integration-test/scripts/dependency-scanning-qa.rb to check for the presence of these CycloneDX files, using a similar technique to this.
We need to decide which of the above is the best approach and then create an implementation plan
Implementation plan
We've decided to implement option 1. from the Proposal listed above:
-
Update the scriptsection of the qa-dependency_scanning job to look for the presence of a new variable which is passed fromgemnasium,gemnasium-mavenandgemnasium-pythonand contains a list of expectedCycloneDXartifact paths. Theqa-dependency_scanningjob will then check to make sure these artifact files exist.This new variable should be named
EXPECTED_CYCLONEDX_ARTIFACTSand contains a comma-separated list of artifact paths to check.Add test for CycloneDX artifacts (gitlab-org/security-products/ci-templates!282 - merged)
-
Add job integration tests which pass EXPECTED_CYCLONEDX_ARTIFACTSin the following projects:-
gemnasium
-
gemnasium-maven
-
gemnasium-python
-