Skip to content

Standalone vulnerabilities on Dependency List page - extract data from database

related to #214095 (closed)

Summary

Right now on Dependency List page, we have information about vulnerabilities, but it's not actionable. We need to provide a link to the standalone vulnerability page so users can interact with vulnerabilities.

Further details

We currently parse info for the Dependency List page on-fly. That means that vulnerabilities come not from the database but from the report itself. To link the Dependency List with Standalone vulnerabilities, firstly, we need to change the way we select vulnerabilities to the Dependency List payload.

We can use the vulnerability findings stored in the DB even though they're only available for the default branch, because the Dependency List is also limited to the default branch.

For now, relationship between Occurrence and Standalone vulnerability is 1:1 and it's not to be changed in near future

Implementation plan

  • Merge to dependency payload vulnerabilities stored in db. (Right now, data about vulnerabilities is taken from the parsed report). Vulnerabilities added to dependencies payload should be standalone vulnerabilities

changes to ee/app/models/ee/ci/build.rb (pseudocode):

  def collect_dependency_list_reports!(dependency_list_report)
     if project.feature_available?(:dependency_scanning)
        # ADDED: pass pipeline to DependencyList.new
        dependency_list = ::Gitlab::Ci::Parsers::Security::DependencyList.new(project, sha, pipeline)

         each_report(::Ci::JobArtifact::DEPENDENCY_LIST_REPORT_FILE_TYPES) do |_, blob|
            dependency_list.parse!(blob, dependency_list_report)
         end
     end

     dependency_list_report
  end

changes to ee/lib/gitlab/ci/parsers/security/dependency_list.rb (pseudocode):

def parse!(json_data, report)
   report_data = Gitlab::Json.parse(json_data)
   parse_dependency_names(report_data, report)
   
   # CHANGED: leverage vulnerability findings stored in the database
   vuln_occurrences = pipeline.vulnerability_findings.dependency_scanning

   vuln_occurrences.each do |occurrence|
     dependency = occurrence.dig("location", "dependency")
     package_manager = "" # package manager will be extracted from the dependency_files
     file = occurrence.file
     vulnerability = occurrence.metadata
     report.add_dependency(formatter.format(dependency, package_manager, file, vulnerability))
   end
end