From 658789f080d3073c6e68e63ed72661c11bac6191 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Mon, 22 Mar 2021 14:36:20 -0400
Subject: [PATCH] Hack our logic into the script instead

---
 .gitlab-ci.yml              |  5 -----
 ci-tools/vulnerability-scan | 14 ++++++++++++++
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d92b5037..1e3186bf 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,11 +10,6 @@ unit-tests:
 
 vulnerability-scan:
   stage: "test"
-  # It would be nice to target this a bit more specifically.  If we upgrade to
-  # a newer GitLab (13.11?) then we can select exit codes that are allowed.
-  # For now we're stuck with true/false though.
-  # https://whetstone.privatestorage.io/help/ci/yaml/README.md#allow_failure
-  allow_failure: true
   script:
     - "ci-tools/vulnerability-scan security-report.txt"
   artifacts:
diff --git a/ci-tools/vulnerability-scan b/ci-tools/vulnerability-scan
index 94cfd3f8..0a3a7762 100755
--- a/ci-tools/vulnerability-scan
+++ b/ci-tools/vulnerability-scan
@@ -37,4 +37,18 @@ fi
 # config.  vulnix exit status indicates what vulnix thinks happened.  If we
 # upgrade to a newer GitLab then we can make GitLab pipeline behavior vary
 # based on this.
+#
+# For now, allow 0 (no errors), 1 (only whitelisted errors), and 2
+# (non-whitelisted errors).  3 indicates unexpected error so we let that
+# propagate.
+set +e
 nix-shell -p vulnix --run 'vulnix ./scan-target/' | tee "$OUTPUT"
+vulnix_status=$?
+set -e
+
+echo "vulnix status: $vulnix_status"
+if [ $vulnix_status -eq 3 ]; then
+    exit $vulnix_status
+else
+    exit 0
+fi
-- 
GitLab