gitlab-secret_detection 0.19.1 → 0.20.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 92079cc4159944de4812acba9f6c0f7ec7f36a0a1c4f0770849fc2e35740d7da
-  data.tar.gz: 5cda8188ccc3d46d47b074a3126543db9215fd5d99def8082bae2f8f720d5454
+  metadata.gz: 8cd95dc817999bb641642ef12f37c72cdf877e417caf728752e5d61cbae1bcd2
+  data.tar.gz: 42d9ce659069690870f07310bc35d8e41aab5accc23f2d8a5eac094bac9e6bbe
 SHA512:
-  metadata.gz: d0a74f47adcfbf6e8ec0ab72366d5151b2860788e4adba51944e7ddc03b73eef119b9b8f10890454273845ca2c94c8d74be8a5519adc6ff97a3ca485e47464b7
-  data.tar.gz: 399a729fa667c6174e185c10eef898e51f6f1827c0584242560033d0233dc19ce307d9a75c97eb18acf18e19f647d20d31efe1e11fb984ace4640d6dd7ddd85b
+  metadata.gz: ed2fc3c749afe3be21fe16d1f05fd1d16511dd20a7bd77594b707bd99248ee96ed3c2fafc2e0ade16cbad99f7265ea0b8941d3021547b4c4d9f4363bfad31965
+  data.tar.gz: f2a8d9e25d2ccf3a1f35afa23dffd01a21871d895f9bd0f7a4daffd430391067eabe305db230a575cdda41975eb926fa8c50a84914ab3d26b33d2703e58f597a

data/lib/gitlab/secret_detection/core/ruleset.rb

@@ -7,6 +7,14 @@ module Gitlab
   module SecretDetection
     module Core
       class Ruleset
+        # RulesetParseError is thrown when the code fails to parse the
+        # ruleset file from the given path
+        RulesetParseError = Class.new(StandardError)
+
+        # RulesetCompilationError is thrown when the code fails to compile
+        # the predefined rulesets
+        RulesetCompilationError = Class.new(StandardError)
+
         # file path where the secrets ruleset file is located
         RULESET_FILE_PATH = File.expand_path('secret_push_protection_rules.toml', __dir__)
 
@@ -21,6 +29,15 @@ module Gitlab
           @rule_data = parse_ruleset
         end
 
+        def extract_ruleset_version
+          @ruleset_version ||= if File.readable?(RULESET_FILE_PATH)
+                                 first_line = File.open(RULESET_FILE_PATH, &:gets)
+                                 first_line&.split(":")&.[](1)&.strip
+                               end
+        rescue StandardError => e
+          logger.error(message: "Failed to extract Secret Detection Ruleset version from ruleset file: #{e.message}")
+        end
+
         private
 
         attr_reader :path, :logger
@@ -44,15 +61,6 @@ module Gitlab
           logger.error(message: "Failed to parse local secret detection ruleset: #{e.message}")
           raise Core::Scanner::RulesetParseError, e
         end
-
-        def extract_ruleset_version
-          @ruleset_version ||= if File.readable?(RULESET_FILE_PATH)
-                                 first_line = File.open(RULESET_FILE_PATH, &:gets)
-                                 first_line&.split(":")&.[](1)&.strip
-                               end
-        rescue StandardError => e
-          logger.error(message: "Failed to extract Secret Detection Ruleset version from ruleset file: #{e.message}")
-        end
       end
     end
   end

data/lib/gitlab/secret_detection/core/scanner.rb

@@ -11,14 +11,6 @@ module Gitlab
     module Core
       # Scan is responsible for running Secret Detection scan operation
       class Scanner
-        # RulesetParseError is thrown when the code fails to parse the
-        # ruleset file from the given path
-        RulesetParseError = Class.new(StandardError)
-
-        # RulesetCompilationError is thrown when the code fails to compile
-        # the predefined rulesets
-        RulesetCompilationError = Class.new(StandardError)
-
         # default time limit(in seconds) for running the scan operation per invocation
         DEFAULT_SCAN_TIMEOUT_SECS = 180 # 3 minutes
         # default time limit(in seconds) for running the scan operation on a single payload
@@ -91,7 +83,6 @@ module Gitlab
           tags: DEFAULT_PATTERN_MATCHER_TAGS,
           subprocess: RUN_IN_SUBPROCESS
         )
-
           return Core::Response.new(status: Core::Status::INPUT_ERROR) unless validate_scan_input(payloads)
 
           # assign defaults since grpc passing zero timeout value to `Timeout.timeout(..)` makes it effectively useless.
@@ -184,7 +175,7 @@ module Gitlab
           unless matcher.compile
             logger.error "Failed to compile secret detection ruleset in RE::Set"
 
-            raise RulesetCompilationError
+            raise Core::Ruleset::RulesetCompilationError
           end
 
           matcher
@@ -300,7 +291,7 @@ module Gitlab
               findings
             end
           rescue Timeout::Error => e
-            logger.error "Secret Detection scan timed out on the payload(id:#{payload.id}): #{e}"
+            logger.warn "Secret Detection scan timed out on the payload(id:#{payload.id}): #{e}"
 
             Core::Finding.new(payload.id,
               Core::Status::PAYLOAD_TIMEOUT)
@@ -342,7 +333,7 @@ module Gitlab
                 findings
               end
             rescue Timeout::Error => e
-              logger.error "Secret Detection scan timed out on the payload(id:#{payload.id}): #{e}"
+              logger.warn "Secret Detection scan timed out on the payload(id:#{payload.id}): #{e}"
 
               Core::Finding.new(payload.id, Core::Status::PAYLOAD_TIMEOUT)
             end

data/lib/gitlab/secret_detection/grpc/integrated_error_tracking.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'sentry-ruby'
+
+require_relative '../../../../lib/gitlab/secret_detection/core/ruleset'
+
+module Gitlab
+  module SecretDetection
+    module GRPC
+      module IntegratedErrorTracking
+        extend self
+
+        def track_exception(exception, args = {})
+          unless Sentry.initialized?
+            logger.warn(message: "Cannot track exception in Error Tracking as Sentry is not initialized")
+            return
+          end
+
+          args[:ruleset_version] = ruleset_version
+
+          Sentry.capture_exception(exception, **args)
+        end
+
+        def setup(logger: Logger.new($stdout))
+          if Sentry.initialized?
+            logger.warn(message: "Sentry is already initialized, skipping re-setup")
+            return
+          end
+
+          logger.info(message: "Initializing Sentry SDK for Integrated Error Tracking..")
+
+          unless can_setup_sentry?
+            logger.warn(message: "Integrated Error Tracking not available, skipping Sentry SDK initialization")
+            return false
+          end
+
+          Sentry.init do |config|
+            config.dsn = ENV.fetch('SD_TRACKING_DSN')
+            config.environment = ENV.fetch('SD_ENV')
+            config.release = Gitlab::SecretDetection::Gem::VERSION
+            config.send_default_pii = true
+            config.send_modules = false
+            config.traces_sample_rate = 0.2 if ENV.fetch('ENABLE_SENTRY_PERFORMANCE_MONITORING', 'false') == 'true'
+          end
+
+          Sentry.set_context('ruleset', { version: ruleset_version })
+
+          true
+        rescue StandardError => e
+          logger.error(message: "Failed to initialize Sentry SDK for Integrated Error Tracking: #{e}")
+          raise e
+        end
+
+        def ruleset_version
+          @ruleset_version ||= Gitlab::SecretDetection::Core::Ruleset.new.extract_ruleset_version || 'unknown'
+        end
+
+        def can_setup_sentry?
+          ENV.fetch('SD_ENV', '') == 'production' && ENV.fetch('SD_TRACKING_DSN', '') != ''
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/secret_detection/grpc/scanner_service.rb

@@ -32,6 +32,7 @@ module Gitlab
     module GRPC
       class ScannerService < Scanner::Service
         include SDLogger
+        include IntegratedErrorTracking
 
         # Maximum timeout value that can be given as the input. This guards
         # against the misuse of timeouts.
@@ -100,8 +101,8 @@ module Gitlab
               payload_timeout: request.payload_timeout_secs
             )
           rescue StandardError => e
-            logger.error(message: "Failed to run the secret detection scan", exception: e)
-            logger.error(e.backtrace&.join("\n"))
+            logger.error(message: "Failed to run the secret detection scan", exception: e.message)
+            track_exception(e)
             raise ::GRPC::Unknown, e.message
           end
 

data/lib/gitlab/secret_detection/grpc.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require_relative 'grpc/integrated_error_tracking'
 require_relative 'grpc/scanner_service'
 require_relative 'grpc/client/stream_request_enumerator'
 require_relative 'grpc/client/grpc_client'

data/lib/gitlab/secret_detection/version.rb

@@ -8,7 +8,7 @@ module Gitlab
       #  https://gitlab.com/gitlab-org/gitlab/-/issues/514015
       #
       # Ensure to maintain the same version in CHANGELOG file.
-      VERSION = "0.19.1"
+      VERSION = "0.20.0"
 
       # SD_ENV env var is used to determine which environment the
       # server is running. This var is defined in `.runway/env-<env>.yml` files.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-secret_detection
 version: !ruby/object:Gem::Version
-  version: 0.19.1
+  version: 0.20.0
 platform: ruby
 authors:
 - group::secret detection
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-02-19 00:00:00.000000000 Z
+date: 2025-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: grpc
@@ -82,6 +82,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: sentry-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.22'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.22'
+- !ruby/object:Gem::Dependency
+  name: stackprof
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.27
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.27
 - !ruby/object:Gem::Dependency
   name: toml-rb
   requirement: !ruby/object:Gem::Requirement
@@ -124,6 +152,7 @@ files:
 - lib/gitlab/secret_detection/grpc/generated/.gitkeep
 - lib/gitlab/secret_detection/grpc/generated/secret_detection_pb.rb
 - lib/gitlab/secret_detection/grpc/generated/secret_detection_services_pb.rb
+- lib/gitlab/secret_detection/grpc/integrated_error_tracking.rb
 - lib/gitlab/secret_detection/grpc/scanner_service.rb
 - lib/gitlab/secret_detection/utils.rb
 - lib/gitlab/secret_detection/utils/certificate.rb