Add vulnerability management policy to security policy JSON schema
Proposal
To support the new Vulnerability management policy type, we need to add its definition to security orchestration policy JSON schema. We can then use the schema to validate vulnerability management policies created in YAML mode and do proper validation.
Draft
example YAML
type: vulnerability_management_policy
name: Auto-resolve low criticality vulnerabilities
description: Lorem ipsum dolor sit amet, consectetur adipiscing elit
enabled: true
rules:
- type: no_longer_detected
scanners:
- secret_detection
- dast
severity_levels:
- medium
- type: no_longer_detected
severity_levels:
- low
- info
scanners: []
actions:
- type: auto_resolveExample schema
diff --git a/ee/app/validators/json_schemas/security_orchestration_policy.json b/ee/app/validators/json_schemas/security_orchestration_policy.json
index 3fa10ac68b94..a783a04d9097 100644
--- a/ee/app/validators/json_schemas/security_orchestration_policy.json
+++ b/ee/app/validators/json_schemas/security_orchestration_policy.json
@@ -23,9 +23,107 @@
"required": [
"pipeline_execution_policy"
]
+ },
+ {
+ "required": [
+ "vulnerability_management_policy"
+ ]
}
],
"properties": {
+ "vulnerability_management_policy": {
+ "type": "array",
+ "description": "Declares auto-resolve or auto-dismiss configuration for a policy.",
+ "additionalItems": false,
+ "items": {
+ "maxItems": 5,
+ "required": [
+ "name",
+ "enabled",
+ "rules",
+ "actions"
+ ],
+ "type": "object",
+ "properties": {
+ "name": {
+ "description": "Name for the policy.",
+ "minLength": 1,
+ "maxLength": 255,
+ "type": "string"
+ },
+ "description": {
+ "description": "Specifies the longer description of the policy.",
+ "type": "string"
+ },
+ "enabled": {
+ "description": "Whether to enforce this policy or not.",
+ "type": "boolean"
+ },
+ "rules": {
+ "description": "Specifies conditions when this policy should be applied.",
+ "type": "array",
+ "additionalItems": false,
+ "items": {
+ "type": "object",
+ "required": ["type", "scanners", "severity_levels"],
+ "properties": {
+ "type": {
+ "enum": [
+ "no_longer_detected"
+ ],
+ "type": "string",
+ "description": "Specifies a type of the policy rule."
+ },
+ "scanners": {
+ "description": "Specifies a list of scanners that should be considered to enforce this policy. Possible values: `sast`, `secret_detection`, `dependency_scanning`, `container_scanning`, `dast`, `coverage_fuzzing`, `api_fuzzing`.",
+ "type": "array",
+ "additionalItems": false,
+ "items": {
+ "type": "string"
+ }
+ },
+ "severity_levels": {
+ "description": "Specifies a list of vulnerability security levels that should be concidered to enforce this policy. Possible values: `info`, `unknown`, `low`, `medium`, `high`, `critical`.",
+ "type": "array",
+ "additionalItems": false,
+ "items": {
+ "type": "string",
+ "enum": [
+ "critical",
+ "high",
+ "medium",
+ "low",
+ "info",
+ "unknown"
+ ]
+ }
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "actions": {
+ "type": "array",
+ "description": "Specificies what actions should be performed on the matched vulnerabilities.",
+ "additionalItems": false,
+ "maxItems": 1,
+ "items": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "description": "The type of action that should be taken. Available: `auto_resolve`.",
+ "enum": [
+ "auto_resolve"
+ ],
+ "type": "string"
+ }
+ },
+ "additionalProperties": false
+ }
+ },
+ "policy_scope": {
+ "$ref": "#/$defs/policy_scope"
+ }
+ }
+ }
+ },
"pipeline_execution_policy": {
"type": "array",
"description": "Declares custom pipeline configuration for a policy.",Later on, 2 additional types for rules will be added "match_file_paths" and "match_identifiers" with more configuration possible if those are selected. Also the type "auto_dismiss" will be added as an action type with the requirement to set a dismissal reason.
Implementation plan
- Update JSON schema
security_orchestration_policy.json - Limit the amount of policies created of this type to 5 and add a concern and use within security orchestration helper and security orchestration config to enforce
- Update specs + factories + fixtures
Verification
Edited by Lorenz van Herwaarden