legitify doesn't support nested GitLab projects completely

[mawl]

TL;DR

With v1.0.2 nested GitLab projects should be supported, but after updating legitify, it has issues with groups and now missing policies.

Expected behavior

All policies are shown and group gets analyzed, too.

Observed behavior

From the logs:
2023/09/08 09:10:49 2023/09/08 09:10:49 couldn't find group group/subgroup

And some policies weren't shown:

Before (v1.0.1: analyzed project was under group/project):

Legitify Findings Summary:
+---+------------+--------------------------------+----------+--------+--------+---------+
| # | Namespace  |             Policy             | Severity | Passed | Failed | Skipped |
+---+------------+--------------------------------+----------+--------+--------+---------+
| 1 | repository | Default Branch Should Be       | MEDIUM   | 0      | 1      | 0       |
|    |            | Protected                      |          |        |        |         |
+---+------------+--------------------------------+----------+--------+--------+---------+
| 2 | repository | Default Branch Should Not      | MEDIUM   | 0      | 1      | 0       |
|    |            | Allow Force Pushes             |          |        |        |         |
+---+------------+--------------------------------+----------+--------+--------+---------+
| 3 | repository | Project Should Require All     | MEDIUM   | 0      | 1      | 0       |
|    |            | Pipelines to Succeed           |          |        |        |         |
+---+------------+--------------------------------+----------+--------+--------+---------+

After (v1.0.2: analyzed project was under group/subgroup/project)::

Legitify Findings Summary:
+---+------------+--------------------------------+----------+--------+--------+---------+
| # | Namespace  |             Policy             | Severity | Passed | Failed | Skipped |
+---+------------+--------------------------------+----------+--------+--------+---------+
| 1 | repository | Project Should Require All     | MEDIUM   | 0      | 1      | 0       |
|    |            | Pipelines to Succeed           |          |        |        |         |
+---+------------+--------------------------------+----------+--------+--------+---------+

Version

1.0.2

On which operating system are you using legitify?

Linux

Relevant log output

No response

Additional information

No response

[mawl]

Should have been fixed with #243

[mawl]

P.S. permissions_log.json is empty.

[mawl]

After moving project back to group/project all policies have been found, so it is nothing concerning different permissions.

Legitify Findings Summary:
+---+------------+--------------------------------+----------+--------+--------+---------+
| # | Namespace  |             Policy             | Severity | Passed | Failed | Skipped |
+---+------------+--------------------------------+----------+--------+--------+---------+
| 1 | repository | Default Branch Should Be       | MEDIUM   | 0      | 1      | 0       |
|    |            | Protected                      |          |        |        |         |
+---+------------+--------------------------------+----------+--------+--------+---------+
| 2 | repository | Default Branch Should Not      | MEDIUM   | 0      | 1      | 0       |
|    |            | Allow Force Pushes             |          |        |        |         |
+---+------------+--------------------------------+----------+--------+--------+---------+
| 3 | repository | Project Should Require All     | MEDIUM   | 0      | 1      | 0       |
|    |            | Pipelines to Succeed           |          |        |        |         |
+---+------------+--------------------------------+----------+--------+--------+---------+

[noamd-legit]

All policies are shown and group gets analyzed, too.
Im not sure I understand this, when using the --repo flag it analyzes only the specific repository and only repository-related policies(namespace)

Could you attach the CLI command you're using? I can't replicate this behavior locally (you can send privately if you prefer).

[mawl]

@noamd-legit:

The command I use, is:

    legitify analyze \
    --scm gitlab \
    --failed-only \
    --ignore-policies-file ${LEGITIFY_IGNORE_POLICIES_FILE} \
    --output-format json \
    --error-file analyze.error.log \
    --output-file ${LEGITIFY_JSON_OUTPUT} \
   --repo "${CI_PROJECT_PATH}"

The project settings for both analysis are the same, I moved the project into a subgroup to test the new feature - and I wonder why policies are missing and the error couldn't find group group/subgroup appears in the log.

I use a policiesignore file to activate only some policies which are:

# missing_default_branch_protection
# missing_default_branch_protection_force_push
# project_not_maintained
# requires_status_checks

If you need more input please let me know.

[mawl]

@noamd-legit: looking forward to your answer :)

[noamd-legit]

Sorry, holidays season :) I will publish a fix today

[mawl]

Thanks for the fix. It works :)