gitlab-qa 14.14.0 → 14.16.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/docs/what_tests_can_be_run.md +24 -0
- data/fixtures/cvs/vulnerabilities_template.erb +2 -0
- data/lib/gitlab/qa/component/gitlab.rb +2 -1
- data/lib/gitlab/qa/runtime/env.rb +5 -0
- data/lib/gitlab/qa/scenario/test/integration/continuous_vulnerability_scanning.rb +86 -0
- data/lib/gitlab/qa/version.rb +1 -1
- data/rubocop/cop/gitlab/dangerous_interpolation.rb +1 -0
- data/support/data/admin_access_token_seed.rb +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b98b613be98b09d382003ce5a1bd4562bddf7a7e0216de30a76c0c264c51a973
|
|
4
|
+
data.tar.gz: 808ee2237ccbcabe62430f504b99a1c39930e90ccaff107d7316ce8a7ee71f52
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: edff13e29e9dc6cdda84b1cf8103676e5b74703a45fd6a7a77d34cc5b7f5b1fa836957e130806c263864c2ee659bb7f7cd9c9620e0f97c8c5cce0b756b7b2c60
|
|
7
|
+
data.tar.gz: 45ef2a7609d5e2345a4ca25067cb722098fe0ec734b9ab18ebf5513bf1af45d87f0a755f91ae0c4b2e10329a809e72c25f81df2c293aaadcc5dc89c763c07f6d
|
data/Gemfile.lock
CHANGED
|
@@ -375,6 +375,30 @@ $ export EE_LICENSE=$(cat /path/to/Geo.gitlab_license)
|
|
|
375
375
|
$ gitlab-qa Test::Integration::Geo EE
|
|
376
376
|
```
|
|
377
377
|
|
|
378
|
+
[test-cvs]: ...
|
|
379
|
+
|
|
380
|
+
### `Test::Integration::ContinuousVulnerabilityScanning EE|<full image address>`
|
|
381
|
+
|
|
382
|
+
This tests [Continuous Vulnerability Scanning](https://docs.gitlab.com/ee/user/application_security/continuous_vulnerability_scanning/)
|
|
383
|
+
which is functionality to allow updated vulnerabilities to be downloaded and shown for
|
|
384
|
+
relevant software dependencies.
|
|
385
|
+
|
|
386
|
+
It is designed to run against a particular end to end spec as per the example.
|
|
387
|
+
|
|
388
|
+
It is EE functionality and requires a license to be set.
|
|
389
|
+
|
|
390
|
+
**Required environment variables:**
|
|
391
|
+
|
|
392
|
+
- `EE_LICENSE`: A valid EE license.
|
|
393
|
+
|
|
394
|
+
Example:
|
|
395
|
+
|
|
396
|
+
```shell
|
|
397
|
+
$ export EE_LICENSE=$(cat /path/to/gitlab_license)
|
|
398
|
+
$ export GITLAB_LICENSE_MODE=test
|
|
399
|
+
$ gitlab-qa Test::Integration::ContinuousVulnerabilityScanning EE
|
|
400
|
+
````
|
|
401
|
+
|
|
378
402
|
[test-geo]: https://gitlab.com/gitlab-org/gitlab-ee/blob/master/qa/qa/ee/scenario/test/geo.rb
|
|
379
403
|
|
|
380
404
|
### `Test::Integration::GitalyCluster CE|EE|<full image address>`
|
|
@@ -0,0 +1,2 @@
|
|
|
1
|
+
{"advisory":{"id":"<%= SecureRandom.uuid %>","source":"glad","title":"Arbitrary test vulnerability","description":"An arbitrary vulnerability exists for testing. This vulnerability should be picked up by Continuous Vulnerability Scanning.","cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","published_date":"<%= Date.today.prev_day.iso8601 %>","urls":["https://gitlab.com/willmeek"],"identifiers":[{"type":"cve","name":"CVE-2124-12345","value":"CVE-2124-12345","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2124-12345"},{"type":"ghsa","name":"GHSA-abcd-123e-fg4h","value":"GHSA-abcd-123e-fg4h","url":"https://gitlab.com/willmeek"},{"type":"cwe","name":"CWE-42","value":"42","url":"https://gitlab.com/willmeek"}]},"packages":[{"name":"RedCloth","purl_type":"gem","affected_range":"<=3.39.0","solution":"Upgrade to version 3.39.0 or above.","fixed_versions":["3.39.0"]}]}
|
|
2
|
+
{"advisory":{"id":"<%= SecureRandom.uuid %>","source":"glad","title":"Outdated test vulnerability","description":"An Outdated vulnerability exists for testing. This vulnerability should NOT be picked up by Continuous Vulnerability Scanning.","cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","published_date":"<%= (Date.today - 15).iso8601 %>","urls":["https://gitlab.com/willmeek"],"identifiers":[{"type":"cve","name":"CVE-2124-54321","value":"CVE-2124-54321","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2124-54321"},{"type":"ghsa","name":"GHSA-abcd-321e-fg4h","value":"GHSA-abcd-321e-fg4h","url":"https://gitlab.com/willmeek"},{"type":"cwe","name":"CWE-43","value":"43","url":"https://gitlab.com/willmeek"}]},"packages":[{"name":"RedCloth","purl_type":"gem","affected_range":"<=3.39.0","solution":"Upgrade to version 3.39.0 or above.","fixed_versions":["3.39.0"]}]}
|
|
@@ -140,7 +140,8 @@ module Gitlab
|
|
|
140
140
|
set_qa_user_agent
|
|
141
141
|
env = @omnibus_gitlab_rails_env.merge(
|
|
142
142
|
{
|
|
143
|
-
'GITLAB_ALLOW_SEPARATE_CI_DATABASE' => Runtime::Env.allow_separate_ci_database.to_s
|
|
143
|
+
'GITLAB_ALLOW_SEPARATE_CI_DATABASE' => Runtime::Env.allow_separate_ci_database.to_s,
|
|
144
|
+
'COVERBAND_ENABLED' => Runtime::Env.coverband_enabled?.to_s
|
|
144
145
|
}
|
|
145
146
|
)
|
|
146
147
|
|
|
@@ -24,6 +24,7 @@ module Gitlab
|
|
|
24
24
|
'AWS_S3_REGION' => :aws_s3_region,
|
|
25
25
|
'CACHE_NAMESPACE_NAME' => :cache_namespace_name,
|
|
26
26
|
'CHROME_DISABLE_DEV_SHM' => :chrome_disable_dev_shm,
|
|
27
|
+
'COVERBAND_ENABLED' => :coverband_enabled,
|
|
27
28
|
'CI' => :ci,
|
|
28
29
|
'CI_JOB_ID' => :ci_job_id,
|
|
29
30
|
'CI_JOB_NAME' => :ci_job_name,
|
|
@@ -468,6 +469,10 @@ module Gitlab
|
|
|
468
469
|
enabled?(env_var_value_if_defined('GITLAB_ALLOW_SEPARATE_CI_DATABASE'), default: false)
|
|
469
470
|
end
|
|
470
471
|
|
|
472
|
+
def coverband_enabled?
|
|
473
|
+
enabled?(env_var_value_if_defined('COVERBAND_ENABLED'), default: false)
|
|
474
|
+
end
|
|
475
|
+
|
|
471
476
|
def mock_github_enabled?
|
|
472
477
|
enabled?(env_var_value_if_defined('QA_MOCK_GITHUB'), default: true)
|
|
473
478
|
end
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'date'
|
|
4
|
+
require 'erb'
|
|
5
|
+
require 'pathname'
|
|
6
|
+
|
|
7
|
+
module Gitlab
|
|
8
|
+
module QA
|
|
9
|
+
module Scenario
|
|
10
|
+
module Test
|
|
11
|
+
module Integration
|
|
12
|
+
class ContinuousVulnerabilityScanning < Scenario::Template
|
|
13
|
+
def initialize
|
|
14
|
+
@network = Runtime::Env.docker_network
|
|
15
|
+
@tag = 'secure_cvs'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def perform(release, *rspec_args)
|
|
19
|
+
Component::Gitlab.perform do |gitlab|
|
|
20
|
+
setup_and_run_tests(gitlab, release, *rspec_args)
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
private
|
|
25
|
+
|
|
26
|
+
def setup_and_run_tests(gitlab, release, *rspec_args)
|
|
27
|
+
set_up_gitlab(gitlab, release)
|
|
28
|
+
gitlab.instance do
|
|
29
|
+
place_new_vulnerabilities(gitlab)
|
|
30
|
+
run_specs(gitlab, *rspec_args)
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def set_up_gitlab(gitlab, release)
|
|
35
|
+
gitlab.release = QA::Release.new(release)
|
|
36
|
+
gitlab.name = 'gitlab'
|
|
37
|
+
gitlab.network = @network
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def place_new_vulnerabilities(gitlab)
|
|
41
|
+
write_vulnerabilities(gitlab, generate_filepath, generate_vulnerabilities)
|
|
42
|
+
start_advisory_sync_worker(gitlab)
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def generate_vulnerabilities
|
|
46
|
+
template = File.read(File.expand_path('../../../../../../fixtures/cvs/vulnerabilities_template.erb', __dir__))
|
|
47
|
+
ERB.new(template).result(binding)
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
def generate_filepath
|
|
51
|
+
File.join(
|
|
52
|
+
"/opt/gitlab/embedded/service/gitlab-rails/vendor/package_metadata/advisories/v2/rubygem/#{Time.now.to_i}",
|
|
53
|
+
'000000000.ndjson'
|
|
54
|
+
)
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
def write_vulnerabilities(gitlab, filepath, content)
|
|
58
|
+
gitlab.docker.exec(gitlab.name, "mkdir -p #{File.dirname(filepath)}")
|
|
59
|
+
gitlab.docker.write_files(gitlab.name) { |f| f.write(filepath, content, false) }
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
def start_advisory_sync_worker(gitlab)
|
|
63
|
+
gitlab.docker.exec(gitlab.name, "PM_SYNC_IN_DEV=true gitlab-rails runner 'loop do PackageMetadata::AdvisoriesSyncWorker.new.perform; sleep 30; end' &")
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
def run_specs(gitlab, *rspec_args)
|
|
67
|
+
Runtime::Logger.info('Running Continuous Vulnerability Scanning spec...')
|
|
68
|
+
rspec_args << "--" unless rspec_args.include?('--')
|
|
69
|
+
rspec_args << "--tag" << @tag
|
|
70
|
+
run_spec_component(gitlab, rspec_args)
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
def run_spec_component(gitlab, rspec_args)
|
|
74
|
+
Component::Specs.perform do |specs|
|
|
75
|
+
specs.suite = 'Test::Instance::All'
|
|
76
|
+
specs.release = gitlab.release
|
|
77
|
+
specs.network = gitlab.network
|
|
78
|
+
specs.args = [gitlab.address, *rspec_args]
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
end
|
|
82
|
+
end
|
|
83
|
+
end
|
|
84
|
+
end
|
|
85
|
+
end
|
|
86
|
+
end
|
data/lib/gitlab/qa/version.rb
CHANGED
|
@@ -95,6 +95,7 @@ module RuboCop
|
|
|
95
95
|
'CI_PIPELINE_URL' => :ci_pipeline_url,
|
|
96
96
|
'CI_PIPELINE_CREATED_AT' => :ci_pipeline_created_at,
|
|
97
97
|
'CI_MERGE_REQUEST_IID' => :ci_merge_request_iid,
|
|
98
|
+
'COVERBAND_ENABLED' => :coverband_enabled,
|
|
98
99
|
'GITLAB_CI' => :gitlab_ci,
|
|
99
100
|
'ELASTIC_URL' => :elastic_url,
|
|
100
101
|
'GITLAB_QA_LOOP_RUNNER_MINUTES' => :gitlab_qa_loop_runner_minutes,
|
|
@@ -18,7 +18,7 @@ class AdminAccessTokenSeed
|
|
|
18
18
|
|
|
19
19
|
admin_user.personal_access_tokens.build(token_params).tap do |pat|
|
|
20
20
|
pat.set_token(TOKEN_VALUE)
|
|
21
|
-
pat.organization = Organizations::Organization.default_organization
|
|
21
|
+
pat.organization = Organizations::Organization.default_organization if Gitlab.version_info >= Gitlab::VersionInfo.new(17, 4)
|
|
22
22
|
pat.save!
|
|
23
23
|
end
|
|
24
24
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: gitlab-qa
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 14.
|
|
4
|
+
version: 14.16.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- GitLab Quality
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-09-
|
|
11
|
+
date: 2024-09-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: climate_control
|
|
@@ -376,6 +376,7 @@ files:
|
|
|
376
376
|
- docs/waits.md
|
|
377
377
|
- docs/what_tests_can_be_run.md
|
|
378
378
|
- exe/gitlab-qa
|
|
379
|
+
- fixtures/cvs/vulnerabilities_template.erb
|
|
379
380
|
- fixtures/ldap/1_add_nodes.ldif
|
|
380
381
|
- fixtures/ldap/2_add_users.ldif
|
|
381
382
|
- fixtures/ldap/3_add_groups.ldif
|
|
@@ -450,6 +451,7 @@ files:
|
|
|
450
451
|
- lib/gitlab/qa/scenario/test/integration/ai_gateway_no_seat_assigned.rb
|
|
451
452
|
- lib/gitlab/qa/scenario/test/integration/chaos.rb
|
|
452
453
|
- lib/gitlab/qa/scenario/test/integration/client_ssl.rb
|
|
454
|
+
- lib/gitlab/qa/scenario/test/integration/continuous_vulnerability_scanning.rb
|
|
453
455
|
- lib/gitlab/qa/scenario/test/integration/elasticsearch.rb
|
|
454
456
|
- lib/gitlab/qa/scenario/test/integration/geo.rb
|
|
455
457
|
- lib/gitlab/qa/scenario/test/integration/gitaly_cluster.rb
|