Secret detection vulnerabilities not filtering due to incorrect report type
Summary
When filtering by Tool, Secret Detection, the results are empty even though the unfiltered results contain secret detection entries.
Steps to reproduce
- Open https://gitlab.com/gitlab-org/gitlab/-/security/vulnerability_report/
- There are lots of Secret Detection entries
- Filter Tool by Secret Detection
- No entries
Example Project
https://gitlab.com/gitlab-org/gitlab/-/security/vulnerability_report/
What is the current bug behavior?
Filtered list is empty
What is the expected correct behavior?
Entries that show Tool as "secret detection" appear in the results when I apply the corresponding filter.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com.
Analysis (internal link; expires 2022-05) from @dftian:
despite the vulnerability list showing secret detection results, the vulnerability scanners doesn't have an entry for secret detection
for the vulnerabilities showing up as SECRET_DETECTION, they have reportType SECRET_DETECTION, but looking at the actual scanner type, it's Gitleaks, which is a SAST scanner
In short, it looks like the problem is that the reportType of the vulnerability doesn't match its scanner reportType. This looks like a data consistency issue.
And from @twoodham:
How is Gitleaks identified to be a SAST scanner?
Analysis from @mallocke:
- The vuln report does not load the list of scanner ids via graphql, they are populated on data attributes when the page is loaded calling
ProjectsHelper#project_security_dashboard_config
andVulnerabilityScanners::ListService
. - The
report_type
is populated on each scanner by selecting the first vulnerability attributed to the scanner on the project. This is the heart of the problem we are seeing ongitlab-org/gitlab
. The first vulnerability we have stored for thegitleaks
scanner (scanner_id: 703
) is typeSAST
rather thanSecret Detection
. - When filtering by
Tool -> SAST
, the frontend does not filter all vulnerabilities withreport_type = SAST
. Instead, it filters vulnerabilities byscanner_id
, using all the scanners withreport_type: 'SAST'
. This explains why we seeSecret Detection
when filtering forSAST
, because ourSecret Detection
scanner is misidentified asSAST
.
- When filtering by
Tool -> Secret Detection
, because the initial list of scanners on page load has none withreport_type: 'Secret Detection'
, the frontend sendsscanner_id: null
in the graphql query for vulnerabilities. This is why theSecret Detection
filter returns no results.
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)