Skip to content

"Vulnerability" Slack notifications are not sent

  • GitLab Ultimate 14.5.0-ee.

  • "Slack notifications" integration set up for all branches.

  • Slack Webhook is working for other operations, notifications are sent to the Slack channel for:

    • Pipeline status changes (failed, fixed).
    • Push to a branch.
    • Open / Approve / close a MR.

  • Python code is analyzed, from the requirements.txt.

  • GitLab SAST and "dependency scanning" notifications are turned on in .gitlab-ci.yml.

image: docker:stable

.default:
  tags:
    - dind

include:
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/SAST.gitlab-ci.yml

# ...

# GitLab SAST scanning
sast:
  extends: ".default"
  stage: test
#  when: always

# GitLab dependency scanning for Python
gemnasium-python-dependency_scanning:
#  extends: ".default"
  tags:
    - dind
  • No other special changes for the notifications included in the .gitlab-ci.yml, only checkboxes in the "Slack notification" integration settings.
  • In the Merge Requests, vulnerabilities are displayed in the report, i.e. both SAST and "Dependency scanning" checks are working.
  • No notification is sent to slack about the Vulnerabilities 🤦
    • I especially tried to introduce a new unique dependency (a new library that was not previously used in the project). No notification as well.
    • Tried with both CRITICAL, MEDIUM and INFO CVEs.
  • Example Python libraries that display CVEs:
cryptography==2.3
lxml==4.0.0

Please fix the notifications: whenever Vulnerabilities are added/changed in any branch (if notifications are set for "send from any branch") and GitLab scanners detect this change, a "Vulnerability" notification should be sent to Slack.

Proposal

The call to run hooks for new vulnerabilites was accidentally removed as part of a refactoring in !81021 (merged) (search for execute_hooks). This also means it affects all chat integrations, and maybe Jira too (which AFAIK can create Jira issues from GitLab vulnerabilities).

To fix this we can add a new "task" in https://gitlab.com/gitlab-org/gitlab/blob/b69ae9f87e6d659dc9395debf9222ef569ae49c0/ee/app/services/security/ingestion/ingest_report_slice_service.rb#L10-24, which loops through all created vulnerabilities and calls #execute_hooks on them. See implementation notes in #348467 (comment 971110335)

The actual work will be done in another Sidekiq worker, but we have to check that building the payload with ee/lib/gitlab/data_builder/vulnerability.rb is performant enough (otherwise we might want to do this asynchronously too).

Edited by Markus Koller