Hack our logic into the script instead

658789f0 · Jean-Paul Calderone · b9bbd7c3 · 658789f0 · 658789f0
Commit 658789f0 authored 4 years ago by Jean-Paul Calderone
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,11 +10,6 @@ unit-tests:

 vulnerability-scan:
  stage: "test"
-  # It would be nice to target this a bit more specifically.  If we upgrade to
-  # a newer GitLab (13.11?) then we can select exit codes that are allowed.
-  # For now we're stuck with true/false though.
-  # https://whetstone.privatestorage.io/help/ci/yaml/README.md#allow_failure
-  allow_failure: true
  script:
    - "ci-tools/vulnerability-scan security-report.txt"
  artifacts:

--- a/ci-tools/vulnerability-scan
+++ b/ci-tools/vulnerability-scan
@@ -37,4 +37,18 @@ fi
 # config.  vulnix exit status indicates what vulnix thinks happened.  If we
 # upgrade to a newer GitLab then we can make GitLab pipeline behavior vary
 # based on this.
+#
+# For now, allow 0 (no errors), 1 (only whitelisted errors), and 2
+# (non-whitelisted errors).  3 indicates unexpected error so we let that
+# propagate.
+set +e
 nix-shell -p vulnix --run 'vulnix ./scan-target/' | tee "$OUTPUT"
+vulnix_status=$?
+set -e
+
+echo "vulnix status: $vulnix_status"
+if [ $vulnix_status -eq 3 ]; then
+    exit $vulnix_status
+else
+    exit 0
+fi