RubyGems - gitlab-security_report_schemas - Versions diffs - 0.1.3.min15.0.0.max15.2.1 → 0.1.3.min15.0.0.max15.2.2 - Mend

gitlab-security_report_schemas 0.1.3.min15.0.0.max15.2.1 → 0.1.3.min15.0.0.max15.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

checksums.yaml +4 -4
data/Gemfile.lock +1 -1
data/README.md +12 -12
data/RUNBOOK.md +35 -1
data/gem_version +1 -1
data/schemas/15.2.2/cluster-image-scanning-report-format.json +1259 -0
data/schemas/15.2.2/container-scanning-report-format.json +1192 -0
data/schemas/15.2.2/coverage-fuzzing-report-format.json +1169 -0
data/schemas/15.2.2/dast-report-format.json +1574 -0
data/schemas/15.2.2/dependency-scanning-report-format.json +1180 -0
data/schemas/15.2.2/sast-report-format.json +1164 -0
data/schemas/15.2.2/secret-detection-report-format.json +1188 -0
data/supported_versions +1 -0
metadata +9 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ba052a7936e82d5a5888c8adfd340bac1929ea5bb51215cdad3c78b108984c4
-  data.tar.gz: 53e80aab76684b7a4fe2e6ae7e6cb2e567b814e27e7cc237c6f604e27c90a964
+  metadata.gz: d69ed2a06ec3ed14840cb492a0fb999a6ea1ce02ae7359cac919d9e03fe86155
+  data.tar.gz: 482cad69c32ce1d46229b133eb9c536126572616eec770413ec1f7a1c22b2fa9
 SHA512:
-  metadata.gz: bebe86108042279de541e80deaefd90561840502d9db291940728e5d988d71b057f775abdc807f698fcf98d710d8b2f7dde3d41ce747f2de004bc903bbbeeb75
-  data.tar.gz: 29aa663c77051ab73feecbeea252f87c957ef51508069e03c81376720959c4cd138b7a0ef769136d32c795c2bb5725885aad8700a05ee56252dcc5f58485c608
+  metadata.gz: 35a601473896abf26a5206ed96906c7b9516ed5dfa2086418eedcbc7b8c801e36d45e5d186ec6df86629db886e56543898a6dc2e0b7eed2b96a0ec42595c67d1
+  data.tar.gz: 55daaeaad381551d36108a09db9385bcbedaf9f3e2e497241a7d1dd3a7efca1d7972149c116c9fd9b3e66a8227e1316014f82e4760a2533a5ce4c551e71931c2

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    gitlab-security_report_schemas (0.1.3.min15.0.0.max15.2.1)
+    gitlab-security_report_schemas (0.1.3.min15.0.0.max15.2.2)
       activesupport (>= 6, < 8)
       json_schemer (~> 2.3.0)
       mutex_m (~> 0.3.0)

data/README.md CHANGED Viewed

@@ -8,6 +8,10 @@ Rubygem for https://gitlab.com/gitlab-org/security-products/security-report-sche
 This gem provides a Ruby and command line interface to validate the report artifact generated by the security analyzers.
+## Maintenance
+See [`RUNBOOK.md`](./RUNBOOK.md) for common release and maintenance tasks.
 ## Installation
 Install the gem and add to the application's Gemfile by executing:
@@ -47,21 +51,17 @@ bundle exec security-reports-schemas $FILE_PATH
 #### Credentials
-| Key                         | Description                                                                                   |
-|-----------------------------|-----------------------------------------------------------------------------------------------|
-| `GITLAB_PUSH_ACCESS_TOKEN`  | Own project access token used to push new schema versions. Requires `write_repository` scope. |
-| `GEM_HOST_API_KEY`          | rubygems.org API key                                                                          |
+| Key                         | Description                                                                                                         |
+|-----------------------------|---------------------------------------------------------------------------------------------------------------------|
+| `GITLAB_PUSH_ACCESS_TOKEN`  | Access token for the `gl-service-dev-govern-sec-report-schemas` service account of the top-level `gitlab-org` group |
+| `GEM_HOST_API_KEY`          | rubygems.org API key (inherited from parent group)                                                                  |
 #### Configuration
-| Key                       | Default                                                | Description                            |
-|---------------------------|--------------------------------------------------------|----------------------------------------|
-| `SCHEMAS_PATH`            | `./schemas`                                            | Schema storage location                |
-| `SCHEMA_PROJECT`          | `gitlab-org/security-products/security-report-schemas` | Where to source schemas                |
-## Maintenance
-See [`RUNBOOK.md`](./RUNBOOK.md) for solutions to common maintenance tasks.
+| Key                       | Default                                                | Description             |
+|---------------------------|--------------------------------------------------------|-------------------------|
+| `SCHEMAS_PATH`            | `./schemas`                                            | Schema storage location |
+| `SCHEMA_PROJECT`          | `gitlab-org/security-products/security-report-schemas` | Where to source schemas |
 ## Development

data/RUNBOOK.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # Common maintenance tasks
-### Problem
+## Manually release a new RubyGem version
 * an upstream [security-report-schemas](https://gitlab.com/gitlab-org/security-products/security-report-schemas) pipeline failed to trigger the release pipeline
 * you want to add, remove or deprecate support for report schema versions
@@ -22,6 +22,40 @@
    variable.
 3. Trigger the manual `manual-release` job in the resulting pipeline.
+## Jobs fail to self-push due to an expired service account access token
+To self-push commits, we use an access token of a service account which
+belongs to the top-level `gitlab-org` group. This token is kept in this project's
+`GITLAB_PUSH_ACCESS_TOKEN` CI variable and the token expires yearly.
+The service account access token [should get automatically rotated](https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/issues/29595#note_2433504597)
+and the CI variable should get updated with the updated token.
+Should auto-rotation fail or the access token become invalid for another
+reason, the `add-schema-version` and `manual-release` jobs fail:
+```
+$ git push origin $CI_COMMIT_REF_NAME
+remote: HTTP Basic: Access denied. If a password was provided for Git authentication, the password was incorrect or you're required to use a token instead of a password. If a token was provided, it was either incorrect, expired, or improperly scoped.
+```
+### Solution: Manually rotate the service account access token
+Owners of the top-level `gitlab-org` group can manually
+[rotate the service account access token](https://docs.gitlab.com/user/profile/service_accounts/#rotate-the-personal-access-token)
+and update this project's `GITLAB_PUSH_ACCESS_TOKEN` CI variable with the
+renewed token.
+### Workaround: Use a temporary personal access token
+To release urgently without Owner access to `gitlab-org`:
+1. update the default branch protection so that you can push
+2. create a short-lived personal access token and rerun the failed `manual-release`
+   job, setting the CI variable `GITLAB_PUSH_ACCESS_TOKEN` to your short-lived token
+3. after the job succeeded, revoke your short-lived token and restore the default
+   branch protection so that you can no longer push
 ## Find the commit SHA for a RubyGem version
 Before a rubygems.org release is created, a git tag referencing the full

data/gem_version CHANGED Viewed

	@@ -1 +1 @@
1	- 0.1.3.min15.0.0.max15.2.1
1	+ 0.1.3.min15.0.0.max15.2.2