gitlab-security_report_schemas 0.1.0.min0.0.0.max0.0.0 → 0.1.0.min15.0.0.max15.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 48bb6ab237a896e1a713f7384008e510307fc383135450eca126ce5c912250bd
-  data.tar.gz: b1b4f46ea3c0e83ee3967a418b71a93039ab4227b0f6beae3487b8ed568a4116
+  metadata.gz: eb0ee095cc1634e7242faa1990caf178447e8774e0c1027665388b24494c7b9c
+  data.tar.gz: eb1cd4245ced146a0d1f01769f1d60117e4b8cf36e51106abe6c7632096c0a40
 SHA512:
-  metadata.gz: d92c6d99fa5605d114247a642e386a0876de1396a080868b55ce05951e51b30eb7768fc0c3846b311360a8f6c44f930224a9f7ef2c2f96af1881eed14e2b82f1
-  data.tar.gz: 3e21bfff0c8c1a3dfae2831b92546a513a89b85475f20d5c68303711580881a174e2160f91e23f4457a689063e6dc16ea28e5050201f6a4fbeb7d6af7d483377
+  metadata.gz: 0d8aaaff8004ceb08b6cd1e1bfbde2b330ac45b66c3dc9c9d132b08d13dd2ea4137766ff4b87ce9789577f51df0ba3095e1a0f893341d9364cd88f19f160118b
+  data.tar.gz: a2c6dd7ff0729f43591b798e17adaf0830ece329356e200cd08c1cec772b47234b437705049b6dedce7ab587a0f41ef729c3048a5e5da5a0a883b28c26f8cbd1

data/Gemfile.lock

@@ -1,8 +1,8 @@
 PATH
   remote: .
   specs:
-    gitlab-security_report_schemas (0.1.0.min0.0.0.max0.0.0)
-      activesupport (>= 5)
+    gitlab-security_report_schemas (0.1.0.min15.0.0.max15.1.4)
+      activesupport (>= 6, < 8)
       json_schemer (~> 0.2.18)
 
 GEM
@@ -91,4 +91,4 @@ DEPENDENCIES
   shoulda-matchers (~> 5.0)
 
 BUNDLED WITH
-   2.3.15
+   2.5.14

data/README.md

@@ -1,10 +1,10 @@
- [![pipeline status](https://gitlab.com/gitlab-org/security-products/security-report-schemas-ruby/badges/main/pipeline.svg)](https://gitlab.com/gitlab-org/security-products/security-report-schemas-ruby/-/commits/main)
- [![coverage report](https://gitlab.com/gitlab-org/security-products/security-report-schemas-ruby/badges/main/coverage.svg)](https://gitlab.com/gitlab-org/security-products/security-report-schemas-ruby/-/commits/main) 
- [![Latest Release](https://gitlab.com/gitlab-org/security-products/security-report-schemas-ruby/-/badges/release.svg)](https://gitlab.com/gitlab-org/security-products/security-report-schemas-ruby/-/releases)
+ [![pipeline status](https://gitlab.com/gitlab-org/ruby/gems/gitlab-security_report_schemas/badges/main/pipeline.svg)](https://gitlab.com/gitlab-org/ruby/gems/gitlab-security_report_schemas/-/commits/main)
+ [![coverage report](https://gitlab.com/gitlab-org/ruby/gems/gitlab-security_report_schemas/badges/main/coverage.svg)](https://gitlab.com/gitlab-org/ruby/gems/gitlab-security_report_schemas/-/commits/main) 
+ [![Latest Release](https://gitlab.com/gitlab-org/ruby/gems/gitlab-security_report_schemas/-/badges/release.svg)](https://gitlab.com/gitlab-org/ruby/gems/gitlab-security_report_schemas/-/releases)
 
 # Gitlab::SecurityReportSchemas
 
-Rubygem for https://gitlab.com/gitlab-org/security-products/security-reports-schema
+Rubygem for https://gitlab.com/gitlab-org/security-products/security-report-schemas/
 
 This gem provides a Ruby and command line interface to validate the report artifact generated by the security analyzers.
 
@@ -43,6 +43,29 @@ You can use the executable to check validity of your report artifact, like so;
 bundle exec security-reports-schemas $FILE_PATH
 ```
 
+### Environment variables
+
+#### Credentials
+
+| Key                         | Description                                                                                   |
+|-----------------------------|-----------------------------------------------------------------------------------------------|
+| `GITLAB_PUSH_ACCESS_TOKEN`  | Own project access token used to push new schema versions. Requires `write_repository` scope. |
+| `GITLAB_ISSUE_ACCESS_TOKEN` | Project access token used to create an issue on `gitlab-org/gitlab`. Requires `api` scopes.   |
+| `GEM_HOST_API_KEY`          | rubygems.org API key                                                                          |
+
+#### Configuration
+
+| Key                       | Default                                                | Description                            |
+|---------------------------|--------------------------------------------------------|----------------------------------------|
+| `SCHEMAS_PATH`            | `./schemas`                                            | Schema storage location                |
+| `SCHEMA_PROJECT`          | `gitlab-org/security-products/security-report-schemas` | Where to source schemas                |
+| `GITLAB_PROJECT`          | `gitlab-org/gitlab`                                    | Project to open MRs for                |
+| `ISSUE_TARGET_PROJECT_ID` | `278964` (`gitlab-org/gitlab`)                         | Project ID for which to open an issue. |
+
+## Maintenance
+
+See [`RUNBOOK.md`](./RUNBOOK.md) for solutions to common maintenance tasks.
+
 ## Development
 
 ### Updating the schemas

data/RUNBOOK.md

@@ -0,0 +1,28 @@
+# Common maintenance tasks
+
+### Problem
+
+* an upstream [security-report-schemas](https://gitlab.com/gitlab-org/security-products/security-report-schemas) pipeline failed to trigger the release pipeline
+* you want to add, remove or deprecate support for report schema versions
+* you need to release a new version of the gem without altering version ranges,
+  because for example:
+  * an existing gem release has a bug, and the bugfix release needs to cover the
+  same version range.
+  * there were breaking changes to the gem's public API that must be released
+  for the currently supported version range.
+
+### Solution
+
+1. Open and merge an MR targeting the default branch which may:
+    * change the [`supported_versions`](../supported_versions) file to set the
+      report schema version range that the release should include.
+    * change the `Gitlab::SecurityReportSchemas::Version::GEM_VERSION` constant
+      to set the MAJOR.MINOR.PATCH version components of the resulting release.
+2. Run a new pipeline for the default branch and set the `MANUAL_RELEASE` CI
+   variable.
+3. Trigger the manual `manual-release` job in the resulting pipeline.
+
+## Find the commit SHA for a RubyGem version
+
+Before a rubygems.org release is created, a git tag referencing the full
+v-prefixed release version is pushed, for example `v0.1.0.min15.0.0.max15.0.1`.

data/Rakefile

@@ -17,7 +17,9 @@ task :prepare_schemas, [:versions] do |_, args|
   require "gitlab/security_report_schemas"
   require "gitlab/security_report_schemas/cli/schema_downloader"
 
-  requested_versions = args[:versions]&.split.to_a
+  requested_versions = args.fetch(:versions, "").split.map do |ver|
+    Gitlab::SecurityReportSchemas::SchemaVer.new!(ver, fallback: false)
+  end
 
   cleanup_schema_dir.then { schemas_to_prepare(requested_versions) }
                     .then { copy_new_schemas(_1) }
@@ -28,7 +30,7 @@ desc "Bundles the Security Report Schemas into the project and builds the gem"
 task :prepare, %i[versions] => %i[prepare_schemas build]
 
 desc "Checks the integrity of the schema files with upstream"
-task :integrity_check do
+task integrity_check: :prepare_schemas do
   require "gitlab/security_report_schemas"
   require "gitlab/security_report_schemas/cli/integrity_checker"
 
@@ -39,6 +41,15 @@ task :integrity_check do
   end
 end
 
+namespace :release do
+  desc "Open patch Issue on gitlab-org/gitlab to update its Gemfile to use the current gem version"
+  task :issue do
+    require "gitlab/security_report_schemas"
+
+    Gitlab::SecurityReportSchemas::Release::Workflow.execute
+  end
+end
+
 def cleanup_schema_dir
   puts "Cleaning the schemas directory..."
 
@@ -57,7 +68,7 @@ def schemas_to_prepare(requested_versions)
   if requested_versions.empty?
     puts "Preparing schemas from `supported_versions' file..."
   else
-    puts "Preparing new schemas #{requested_versions}"
+    puts %(Preparing new schemas #{requested_versions.map(&:version).join(",")})
   end
 
   supported_versions + requested_versions

data/gem_version

@@ -1 +1 @@
-0.1.0.min0.0.0.max0.0.0
+0.1.0.min15.0.0.max15.1.4

data/gitlab-security_report_schemas.gemspec

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+Gem::Specification.new do |spec|
+  spec.name = "gitlab-security_report_schemas"
+  spec.version = `cat gem_version`
+  spec.authors = ["GitLab"]
+  spec.email = ["gitlab_rubygems@gitlab.com"]
+  spec.license = "Nonstandard"
+
+  spec.summary = "Ruby gem for GitLab security report JSON schemas"
+  spec.homepage = "https://gitlab.com/gitlab-org/ruby/gems/gitlab-security_report_schemas"
+  spec.required_ruby_version = ">= 2.7.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
+    end
+  end
+
+  # Bundle the schemas into the gem
+  spec.files += `find schemas -type f`.split("\n")
+
+  spec.bindir = "exe"
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "activesupport", ">= 6", "< 8"
+  spec.add_dependency "json_schemer", "~> 0.2.18"
+end

data/lib/gitlab/security_report_schemas/cli/schema_checker/remote_file.rb

@@ -8,7 +8,6 @@ module Gitlab
       class IntegrityChecker
         # Represents the schema file located on GitLab.com
         class RemoteFile < AbstractFile
-          SCHEMA_PROJECT_RAW_URL = "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v%<version>s/dist/%<schema_file_name>s"
           SCHEMA_FILE_NAME_REGEX = %r{./+(?<version>\d+\.\d+\.\d+)/(?<file_name>.+-report-format\.json)$}.freeze
 
           private
@@ -22,7 +21,7 @@ module Gitlab
           end
 
           def schema_url
-            format(SCHEMA_PROJECT_RAW_URL, version: version, schema_file_name: schema_file_name)
+            format(schema_project_raw_url, version: version, schema_file_name: schema_file_name)
           end
 
           def version
@@ -36,6 +35,14 @@ module Gitlab
           def schema_file_components
             @schema_file_components ||= schema_file.to_s.match(SCHEMA_FILE_NAME_REGEX).named_captures
           end
+
+          def schema_project_raw_url
+            "#{schema_project_url}/-/raw/v%<version>s/dist/%<schema_file_name>s"
+          end
+
+          def schema_project_url
+            Gitlab::SecurityReportSchemas.configuration.schema_project_url
+          end
         end
       end
     end

data/lib/gitlab/security_report_schemas/cli/schema_downloader.rb

@@ -8,8 +8,6 @@ module Gitlab
     module CLI
       # Copies the schema for the given version to the project
       class SchemaDownloader
-        SCHEMA_PROJECT_REPO = "git@gitlab.com:gitlab-org/security-products/security-report-schemas.git"
-
         def self.download(version)
           new(version).download
         end
@@ -59,7 +57,7 @@ module Gitlab
         end
 
         def clone_repository
-          Git.clone(SCHEMA_PROJECT_REPO, git_project_path)
+          Git.clone(Gitlab::SecurityReportSchemas.configuration.schema_repository, git_project_path)
         end
 
         def git_project_path

data/lib/gitlab/security_report_schemas/configuration.rb

@@ -6,16 +6,41 @@ module Gitlab
     class Configuration
       OPTIONS = {
         schemas_path: -> { SecurityReportSchemas.root_path.join("schemas") },
-        deprecated_versions: -> { [] }
+        deprecated_versions: -> { [] },
+        schema_project: -> { "gitlab-org/security-products/security-report-schemas" },
+        gitlab_project: -> { "gitlab-org/gitlab" },
+        issue_target_project_id: -> { "278964" }, # gitlab-org/gitlab
+        gitlab_issue_access_token: nil,
+        ci_server_host: nil
       }.freeze
 
       OPTIONS.each do |option, default_value|
         define_method(option) do
-          instance_variable_get("@#{option}") || default_value.call
+          instance_variable_get("@#{option}") || ENV[option.upcase.to_s] || default_value&.call
         end
 
         attr_writer option
       end
+
+      def initialize
+        yield self if block_given?
+      end
+
+      def schema_project_url
+        "https://gitlab.com/#{schema_project}"
+      end
+
+      def schema_repository
+        "#{schema_project_url}.git"
+      end
+
+      def gitlab_project_url
+        "https://gitlab.com/#{gitlab_project}"
+      end
+
+      def gitlab_repository
+        "#{gitlab_project_url}.git"
+      end
     end
   end
 end

data/lib/gitlab/security_report_schemas/release/bundler.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module SecurityReportSchemas
+    module Release
+      # Wrapper around bundle(1).
+      module Bundler
+        extend self
+
+        def install!
+          run("bundle install")
+        end
+
+        def checksum!
+          run("bundle exec bundler-checksum init")
+        end
+
+        def verify_checksum!
+          run("bundle exec bundler-checksum verify")
+        end
+
+        private
+
+        def run(command)
+          # Bundler modifies RUBYOPT and RUBYLIB which makes bundle(1) attempt
+          # to load from our gem environment instead of from the GitLab environment.
+          ::Bundler.with_unbundled_env do
+            system(command) || raise("non-zero exit code: `#{command}`")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/security_report_schemas/release/gemfile.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require "tempfile"
+
+module Gitlab
+  module SecurityReportSchemas
+    module Release
+      # Changes or adds a dependency version to a Gemfile.
+      class Gemfile
+        SUBSTITUTION_REGEX_TEMPLATE = %{gem ['"]%s['"], ['"](.*)['"]}
+        FEATURE_CATEGORY = :vulnerability_management
+
+        def self.update!(workflow)
+          File.open(workflow.gemfile_path, "r+").tap do |file|
+            new(file).rewrite!(workflow.class::DEPENDENCY, workflow.gem_version)
+          end
+        end
+
+        attr_reader :file
+
+        def initialize(file)
+          @file = file
+        end
+
+        private_class_method :new
+
+        def rewrite!(dependency, version)
+          contents = file.read
+
+          file.seek(0)
+          file.truncate(0)
+          file.puts(substituted_content(contents, dependency, version))
+        end
+
+        private
+
+        def substituted_content(contents, dependency, version)
+          regex = Regexp.new(SUBSTITUTION_REGEX_TEMPLATE % dependency)
+          dep = "gem '#{dependency}', '#{version}'"
+
+          return contents.gsub!(regex, dep) if contents.match(regex)
+
+          contents.concat("#{dep}, feature_category: #{FEATURE_CATEGORY.inspect}")
+          contents.concat("\n") unless contents.end_with?("\n")
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/security_report_schemas/release/issue.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module SecurityReportSchemas
+    module Release
+      # GitLab Issue creation.
+      class Issue
+        API_ROOT = "https://gitlab.com/api/v4"
+        DESCRIPTION_TEMPLATE = "issue_description.erb"
+
+        def self.create!(workflow)
+          new(workflow).execute!
+        end
+
+        attr_reader :workflow
+
+        def initialize(workflow)
+          @workflow = workflow
+        end
+
+        def execute!
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = true
+
+          case response = http.request(request)
+          when Net::HTTPSuccess then extract_url(JSON.parse(response.body))
+          else raise "Failed to create issue: #{response.code} -- #{response.message}"
+          end
+        end
+
+        def uri
+          URI(File.join(API_ROOT, "projects", workflow.target_project_id.to_s, "issues"))
+        end
+
+        def body
+          {
+            title: workflow.commit_message,
+            description: description
+          }
+        end
+
+        def headers
+          {
+            "Content-Type" => "application/json",
+            "Authorization" => "Bearer #{workflow.access_token}"
+          }
+        end
+
+        def description
+          description_template.result_with_hash(gem_version: workflow.gem_version, patch: workflow.patch)
+        end
+
+        private
+
+        def request
+          Net::HTTP::Post.new(uri, headers).tap do |req|
+            req.body = body.to_json
+          end
+        end
+
+        def extract_url(body)
+          body["web_url"]
+        end
+
+        def description_template
+          ERB.new(File.read(description_template_path))
+        end
+
+        def description_template_path
+          Gitlab::SecurityReportSchemas.root_path.join(
+            "lib", "gitlab", "security_report_schemas", "release", "templates", DESCRIPTION_TEMPLATE
+          )
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/security_report_schemas/release/merge_request.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require "net/http"
+require "uri"
+require "erb"
+require "json"
+
+module Gitlab
+  module SecurityReportSchemas
+    module Release
+      # GitLab merge request creation.
+      class MergeRequest
+        API_ROOT = "https://gitlab.com/api/v4"
+        DESCRIPTION_TEMPLATE = "mr_description.erb"
+
+        def self.create!(workflow)
+          new(workflow).execute!
+        end
+
+        attr_reader :workflow
+
+        def initialize(workflow)
+          @workflow = workflow
+        end
+
+        def execute!
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = true
+
+          case response = http.request(request)
+          when Net::HTTPSuccess then extract_url(JSON.parse(response.body))
+          else raise "Failed to create merge request: #{response.code} -- #{response.message}"
+          end
+        end
+
+        def uri
+          URI(File.join(API_ROOT, "projects", workflow.target_project_id.to_s, "merge_requests"))
+        end
+
+        def body
+          {
+            source_branch: workflow.branch_name,
+            target_branch: workflow.class::TARGET_BRANCH,
+            title: workflow.commit_message,
+            description: description
+          }
+        end
+
+        def headers
+          {
+            "Content-Type" => "application/json",
+            "Authorization" => "Bearer #{workflow.access_token}"
+          }
+        end
+
+        def description
+          description_template.result_with_hash(gem_version: workflow.gem_version)
+        end
+
+        private
+
+        def request
+          Net::HTTP::Post.new(uri, headers).tap do |req|
+            req.body = body.to_json
+          end
+        end
+
+        def extract_url(body)
+          body["web_url"]
+        end
+
+        def description_template
+          ERB.new(File.read(description_template_path))
+        end
+
+        def description_template_path
+          Gitlab::SecurityReportSchemas.root_path.join(
+            "lib", "gitlab", "security_report_schemas", "release", "templates", DESCRIPTION_TEMPLATE
+          )
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/security_report_schemas/release/templates/issue_description.erb

@@ -0,0 +1,13 @@
+This is an automatically generated Issue to update the version of [`gitlab-security_report_schemas`](https://gitlab.com/gitlab-org/ruby/gems/gitlab-security_report_schemas/) to <%= gem_version %>.
+
+### Patch
+
+```diff
+<%= patch %>
+```
+
+### Background
+
+GitLab Secure schemas are used as part of [Security scanner integration](https://docs.gitlab.com/ee/development/integrations/secure.html) to ensure that reports produced by analyzers are able to be parsed successfully by GitLab. Each JSON report indicates which version of the Secure schema it conforms to. When the report is parsed, the file is validated using the appropriate schema and will be rejected if it does not succeed.
+
+/label ~section::sec

data/lib/gitlab/security_report_schemas/release/workflow.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+require "git"
+
+module Gitlab
+  module SecurityReportSchemas
+    module Release
+      # The release workflow that updates a GitLab repository's Gemfile
+      # dependency on this gem to an existing version published on rubygems.org
+      # and creates a merge request for the change.
+      class Workflow
+        DEPENDENCY = "gitlab-security_report_schemas"
+        COMMIT_MESSAGE = "Bump `#{DEPENDENCY}' to v%s"
+        BRANCH_NAME = "#{DEPENDENCY}-v%s"
+        TARGET_BRANCH = "master"
+
+        def self.execute(configuration = Gitlab::SecurityReportSchemas.configuration)
+          new(configuration).execute
+        end
+
+        attr_reader :configuration
+
+        def initialize(configuration)
+          @configuration = configuration
+        end
+
+        def execute
+          gitlab_repository # ensure repository is cloned
+
+          update_gemfile!
+          install_dependencies!
+
+          issue_url = create_issue!
+
+          puts "Successfully created Issue: #{issue_url}"
+        end
+
+        def patch
+          gitlab_repository.diff.patch
+        end
+
+        def gemfile_path
+          gitlab_repository_path.join("Gemfile")
+        end
+
+        def gem_version
+          File.read(gem_version_file).strip
+        end
+
+        def branch_name
+          BRANCH_NAME % gem_version
+        end
+
+        def commit_message
+          COMMIT_MESSAGE % gem_version
+        end
+
+        def target_project_id
+          configuration.issue_target_project_id
+        end
+
+        def access_token
+          configuration.gitlab_issue_access_token
+        end
+
+        private
+
+        def gitlab_repository
+          @gitlab_repository ||= if File.exist?(gitlab_repository_path)
+                                   Git.open(gitlab_repository_path)
+                                 else
+                                   Git.clone(configuration.gitlab_repository, gitlab_repository_path, depth: 1)
+                                 end
+        end
+
+        def update_gemfile!
+          Gitlab::SecurityReportSchemas::Release::Gemfile.update!(self)
+        end
+
+        def install_dependencies!
+          bundle do
+            install!
+            checksum!
+            verify_checksum!
+          end
+        end
+
+        def bundle(&block)
+          Dir.chdir(gitlab_repository_path) do
+            Gitlab::SecurityReportSchemas::Release::Bundler.module_eval(&block)
+          end
+        end
+
+        def create_issue!
+          Gitlab::SecurityReportSchemas::Release::Issue.create!(self)
+        end
+
+        def gitlab_repository_path
+          Gitlab::SecurityReportSchemas.root_path.join("tmp", "gitlab")
+        end
+
+        def gem_version_file
+          Gitlab::SecurityReportSchemas.root_path.join("gem_version")
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/security_report_schemas/schema_ver.rb

@@ -10,17 +10,20 @@ module Gitlab
 
       include Comparable
 
-      def self.new!(version)
+      def self.new!(version, fallback: true)
         return SecurityReportSchemas.supported_versions.last if version.blank?
-        raise InvalidSchemaVersion, version unless version.match(VALID_SCHEMA_FORMAT)
 
-        new(version).itself_or_fallback
+        raise InvalidSchemaVersion, version unless version.match?(VALID_SCHEMA_FORMAT)
+
+        instance = new(version)
+
+        fallback ? instance.itself_or_fallback : instance
       end
 
       attr_reader :version
 
       def initialize(version)
-        @version = version
+        @version = version[VALID_SCHEMA_FORMAT]
       end
 
       def itself_or_fallback