Skip to content

Remove security report ingestion of cve fields

Why are we doing this work

Security report schemas version 15-0-0 removed the following properties:

  • Remove vulnerabilities[].cve
  • Remove remediation.fixes[].cve

We want to remove support for these properties in gitlab rails. Once GitLab %16.0 is released, we will no longer accept any security report schemas that still include the removed properties above. At this point, it's safe to remove the related code from gitlab.

This issue replaces #209850 (closed). The section below was copied from the old issue.

GitLab rails application

The rails application still uses cve in a few places. Most of them seem to be optional but it would still be best to remove these (and their specs and fixtures) first so as not to get any unpleasant surprises:

  • ee/lib/gitlab/ci/parsers/security/common.rb
  • ee/lib/gitlab/ci/parsers/security/formatters/dast.rb
  • ee/lib/gitlab/ci/reports/security/identifier.rb
  • ee/app/services/security/store_report_service.rb
  • ee/app/services/vulnerability_exports/exporters/csv_service.rb
  • ee/app/controllers/projects/vulnerability_feedback_controller.rb
  • ee/app/models/vulnerabilities/finding.rb
  • ee/app/models/vulnerabilities/identifier.rb

The one seemingly non-optional place I found in the app was in the frontend code:

  • ee/app/assets/javascripts/security_dashboard/store/constants.js

Relevant links

Implementation plan

Remove references and uses of `cve`:
  • ee/lib/gitlab/ci/parsers/security/common.rb
  • ee/lib/gitlab/ci/parsers/security/formatters/dast.rb
  • ee/lib/gitlab/ci/reports/security/identifier.rb
  • ee/app/services/security/store_report_service.rb
  • ee/app/services/vulnerability_exports/exporters/csv_service.rb
  • ee/app/controllers/projects/vulnerability_feedback_controller.rb
  • ee/app/models/vulnerabilities/finding.rb
  • ee/app/models/vulnerabilities/identifier.rb
  • ee/app/assets/javascripts/security_dashboard/store/constants.js

Additional possible files to check (possibly not all needed to fulfil this change):

  • spec/factories/ci/reports/security/links.rb
  • spec/frontend/vue_shared/security_reports/mock_data.js
  • spec/fixtures/security_reports/master/gl-common-scanning-report-names.json
  • spec/fixtures/security_reports/master/gl-common-scanning-report-without-top-level-scanner.json
  • spec/fixtures/security_reports/master/gl-common-scanning-report.json
  • spec/lib/gitlab/ci/parsers/security/common_spec.rb
  • spec/lib/gitlab/ci/reports/security/link_spec.rb
  • qa/qa/ee/fixtures/secure_premade_reports/gl-dependency-scanning-report.json
  • qa/qa/ee/fixtures/fix_vulnerability_workflow_premade_reports/gl-dependency-scanning-report-1.json
  • qa/qa/ee/fixtures/fix_vulnerability_workflow_premade_reports/gl-dependency-scanning-report-2.json
  • lib/gitlab/ci/parsers/security/validators/schemas/
  • ee/spec/factories/vulnerabilities/identifiers.rb
  • ee/spec/factories/vulnerabilities/finding_links.rb
  • ee/spec/requests/api/graphql/vulnerabilities/primary_identifier_spec.rb
  • ee/spec/requests/api/graphql/vulnerabilities/identifiers_spec.rb
  • ee/spec/models/integrations/chat_message/vulnerability_message_spec.rb
  • ee/spec/frontend/security_dashboard/store/modules/vulnerabilities/data/mock_data_vulnerabilities.js
  • ee/spec/frontend/vue_shared/security_reports/mock_data.js
  • ee/spec/frontend/vue_shared/security_reports/components/snapshots/vulnerability_details_spec.js.snap
  • ee/spec/frontend/vue_shared/security_reports/store/mutations_spec.js
  • ee/spec/controllers/projects/vulnerability_feedback_controller_spec.rb
  • ee/spec/fixtures/security_reports/feature-branch/gl-cluster-image-scanning-report.json
  • ee/spec/fixtures/security_reports/feature-branch/gl-dependency-scanning-report.json
  • ee/spec/fixtures/security_reports/feature-branch/gl-container-scanning-report.json
  • ee/spec/fixtures/security_reports/dependency_list/gl-dependency-scanning-report.json
  • ee/spec/fixtures/security_reports/master/gl-dependency-scanning-report.json
  • ee/spec/fixtures/security_reports/remediations/gl-dependency-scanning-report.json
  • ee/spec/lib/gitlab/vulnerabilities/base_vulnerability_spec.rb
  • ee/spec/services/ee/merge_requests/create_from_vulnerability_data_service_spec.rb
  • ee/spec/services/ee/issues/build_from_vulnerability_service_spec.rb
  • ee/spec/services/ee/issues/create_from_vulnerability_data_service_spec.rb
  • ee/lib/ee/gitlab/ci/parsers/security/validators/schemas

Testing

  • Run E2E:Package-and-test in the MR pipeline to make sure govern specs are green.

Verification steps

  • Execute vulnerability ingestion pipeline on a project without failure
  • View and interact with Security Dashboard without error
Edited by Harsha Muralidhar