Fix gitlab security report schema validation errors

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

socketsecurity/core/messages.py

@@ -3,7 +3,7 @@
 import os
 import re
 import uuid
-from datetime import datetime
+from datetime import datetime, timezone
 from pathlib import Path
 from mdutils import MdUtils
 from prettytable import PrettyTable
@@ -593,6 +593,20 @@ def create_security_comment_json(diff: Diff) -> dict:
             output["new_alerts"].append(json.loads(str(alert)))
         return output
 
+    @staticmethod
+    def _pkg_type_to_package_manager(pkg_type: str) -> str:
+        """Map Socket pkg_type to GitLab package_manager name for dependency_files."""
+        mapping = {
+            "npm": "npm",
+            "pypi": "pip",
+            "go": "go",
+            "maven": "maven",
+            "gem": "bundler",
+            "nuget": "nuget",
+            "cargo": "cargo",
+        }
+        return mapping.get(pkg_type, pkg_type or "unknown")
+
     @staticmethod
     def map_socket_severity_to_gitlab(severity: str) -> str:
         """
@@ -743,14 +757,16 @@ def create_security_comment_gitlab(diff: Diff) -> dict:
                     }
                 },
                 "type": "dependency_scanning",
-                "start_time": datetime.utcnow().isoformat() + "Z",
-                "end_time": datetime.utcnow().isoformat() + "Z",
+                "start_time": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%S"),
+                "end_time": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%S"),
                 "status": "success"
             },
-            "vulnerabilities": []
+            "vulnerabilities": [],
+            "dependency_files": []
         }
 
-        # Process each alert
+        dep_files_map: dict = {}
+
         for alert in diff.new_alerts:
             vulnerability = {
                 "id": Messages.generate_uuid_from_alert_gitlab(alert),
@@ -764,12 +780,29 @@ def create_security_comment_gitlab(diff: Diff) -> dict:
                 "location": Messages.extract_location_gitlab(alert)
             }
 
-            # Add solution if available
             if hasattr(alert, 'suggestion') and alert.suggestion:
                 vulnerability["solution"] = alert.suggestion
 
             gitlab_report["vulnerabilities"].append(vulnerability)
 
+            file_path = vulnerability["location"]["file"]
+            if file_path != "unknown":
+                pkg_manager = Messages._pkg_type_to_package_manager(
+                    alert.pkg_type if hasattr(alert, 'pkg_type') else ""
+                )
+                if file_path not in dep_files_map:
+                    dep_files_map[file_path] = {
+                        "path": file_path,
+                        "package_manager": pkg_manager,
+                        "dependencies": []
+                    }
+                dep_files_map[file_path]["dependencies"].append({
+                    "package": {"name": alert.pkg_name},
+                    "version": alert.pkg_version
+                })
+
+        gitlab_report["dependency_files"] = list(dep_files_map.values())
+
         return gitlab_report
 
     @staticmethod

tests/unit/test_gitlab_format.py

@@ -1,3 +1,5 @@
+import re
+
 import pytest
 from socketsecurity.core.messages import Messages
 from socketsecurity.core.classes import Diff, Issue
@@ -6,19 +8,23 @@
 class TestGitLabFormat:
     """Test suite for GitLab Security Dashboard format generation"""
 
+    # GitLab v15.0.0 schema: ^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}$
+    GITLAB_TIMESTAMP_RE = re.compile(r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}$")
+
     def test_gitlab_report_structure(self):
-        """Test basic GitLab report structure is valid"""
+        """Test basic GitLab report structure matches v15.0.0 schema requirements"""
         diff = Diff()
         diff.new_alerts = []
         diff.id = "test-scan-id"
         diff.diff_url = "https://socket.dev/test"
 
         report = Messages.create_security_comment_gitlab(diff)
 
-        # Verify required top-level fields
+        # All four root-level keys required by v15.0.0 schema
         assert "version" in report
         assert "scan" in report
         assert "vulnerabilities" in report
+        assert "dependency_files" in report
 
         # Verify scan structure
         assert report["scan"]["type"] == "dependency_scanning"
@@ -28,6 +34,12 @@ def test_gitlab_report_structure(self):
         assert report["scan"]["scanner"]["id"] == "socket-cli"
         assert report["scan"]["status"] == "success"
 
+        # Timestamps must match GitLab pattern (no microseconds, no trailing Z)
+        assert self.GITLAB_TIMESTAMP_RE.match(report["scan"]["start_time"]), \
+            f"start_time '{report['scan']['start_time']}' doesn't match GitLab pattern"
+        assert self.GITLAB_TIMESTAMP_RE.match(report["scan"]["end_time"]), \
+            f"end_time '{report['scan']['end_time']}' doesn't match GitLab pattern"
+
     def test_vulnerability_mapping(self):
         """Test Socket Issue maps correctly to GitLab vulnerability"""
         diff = Diff()
@@ -391,3 +403,118 @@ def test_manifests_attribute_fallback(self):
         vuln = report["vulnerabilities"][0]
 
         assert vuln["location"]["file"] == "requirements.txt"
+
+    def test_dependency_files_populated_from_alerts(self):
+        """Test dependency_files is built from alert locations per v15.0.0 schema"""
+        diff = Diff()
+        diff.id = "test-scan-id"
+        diff.diff_url = "https://socket.dev/test"
+
+        diff.new_alerts = [
+            Issue(
+                pkg_name="pkg-a",
+                pkg_version="1.0.0",
+                type="malware",
+                severity="high",
+                title="Alert A",
+                manifests="package.json",
+                pkg_type="npm",
+                key="key-a",
+                purl="pkg:npm/pkg-a@1.0.0"
+            ),
+            Issue(
+                pkg_name="pkg-b",
+                pkg_version="2.0.0",
+                type="vulnerability",
+                severity="medium",
+                title="Alert B",
+                manifests="requirements.txt",
+                pkg_type="pypi",
+                key="key-b",
+                purl="pkg:pypi/pkg-b@2.0.0"
+            ),
+        ]
+
+        report = Messages.create_security_comment_gitlab(diff)
+
+        assert "dependency_files" in report
+        dep_files = report["dependency_files"]
+        assert len(dep_files) == 2
+
+        paths = {df["path"] for df in dep_files}
+        assert "package.json" in paths
+        assert "requirements.txt" in paths
+
+        for df in dep_files:
+            assert "path" in df
+            assert "package_manager" in df
+            assert "dependencies" in df
+            assert isinstance(df["dependencies"], list)
+            assert len(df["dependencies"]) >= 1
+            for dep in df["dependencies"]:
+                assert "package" in dep
+                assert "name" in dep["package"]
+                assert "version" in dep
+
+    def test_dependency_files_groups_by_manifest(self):
+        """Test multiple alerts from the same manifest are grouped into one dependency_file"""
+        diff = Diff()
+        diff.id = "test-scan-id"
+        diff.diff_url = "https://socket.dev/test"
+
+        diff.new_alerts = [
+            Issue(
+                pkg_name="pkg-a", pkg_version="1.0.0", type="malware", severity="high",
+                title="A", manifests="package.json", pkg_type="npm", key="k1", purl="pkg:npm/pkg-a@1.0.0"
+            ),
+            Issue(
+                pkg_name="pkg-b", pkg_version="2.0.0", type="vulnerability", severity="low",
+                title="B", manifests="package.json", pkg_type="npm", key="k2", purl="pkg:npm/pkg-b@2.0.0"
+            ),
+        ]
+
+        report = Messages.create_security_comment_gitlab(diff)
+        dep_files = report["dependency_files"]
+
+        assert len(dep_files) == 1
+        assert dep_files[0]["path"] == "package.json"
+        assert dep_files[0]["package_manager"] == "npm"
+        assert len(dep_files[0]["dependencies"]) == 2
+
+    def test_dependency_files_empty_when_no_alerts(self):
+        """Test dependency_files is an empty array when there are no alerts"""
+        diff = Diff()
+        diff.id = "test-scan-id"
+        diff.diff_url = "https://socket.dev/test"
+        diff.new_alerts = []
+
+        report = Messages.create_security_comment_gitlab(diff)
+        assert report["dependency_files"] == []
+
+    def test_dependency_files_skips_unknown_manifest(self):
+        """Test alerts with unknown manifest don't produce dependency_file entries"""
+        diff = Diff()
+        diff.id = "test-scan-id"
+        diff.diff_url = "https://socket.dev/test"
+
+        diff.new_alerts = [
+            Issue(
+                pkg_name="pkg-a", pkg_version="1.0.0", type="malware", severity="high",
+                title="A", pkg_type="npm", key="k1", purl="pkg:npm/pkg-a@1.0.0"
+            ),
+        ]
+
+        report = Messages.create_security_comment_gitlab(diff)
+        assert report["dependency_files"] == []
+
+    def test_pkg_type_to_package_manager_mapping(self):
+        """Test package manager mapping covers common ecosystems"""
+        assert Messages._pkg_type_to_package_manager("npm") == "npm"
+        assert Messages._pkg_type_to_package_manager("pypi") == "pip"
+        assert Messages._pkg_type_to_package_manager("go") == "go"
+        assert Messages._pkg_type_to_package_manager("maven") == "maven"
+        assert Messages._pkg_type_to_package_manager("gem") == "bundler"
+        assert Messages._pkg_type_to_package_manager("nuget") == "nuget"
+        assert Messages._pkg_type_to_package_manager("cargo") == "cargo"
+        assert Messages._pkg_type_to_package_manager("") == "unknown"
+        assert Messages._pkg_type_to_package_manager("swift") == "swift"