Replace message by name for vulnerabilities
What does this MR do and why?
Although some scanners, like in this example, still populates vulnerabilities[].message
, the security report schema has been updated not to include it.
The dependency list formatter is still relying on vulnerabilities[].message
in order to set name
.
This MR replace message by name which already exist for the vulnerabilities.
Related issue: #395726 (closed)
Screenshots or screen recordings
Before | After |
---|---|
How to set up and validate locally
- Create a project with the following file:
.gitlab-ci.yml
:
container_scanning:
variables:
DOCKER_IMAGE: python:3.4-alpine
include:
- template: Security/Container-Scanning.gitlab-ci.yml
-
Run a new pipeline
-
Using rails console, this
Ci::Pipeline.find(<THE-ID-OF-THE-PIPELINE>).dependency_list_report.dependencies
should return something similar to:
{:name=>"expat",
:packager=>"alpine:3.9.2 (apk)",
:package_manager=>"alpine:3.9.2 (apk)",
:location=>{:blob_path=>"/root/cs_test/-/blob/376e52aea61b8d18430e65bd469f84de54523453/container-image:python:3.4-alpine", :path=>"container-image:python:3.4-alpine"},
:version=>"2.2.6-r0",
:licenses=>[],
:vulnerabilities=>
[{:name=>"CVE-2019-15903 in python:3.4-alpine:expat", :severity=>"high", :id=>589, :url=>"http://gdk.test:3000/root/cs_test/-/security/vulnerabilities/589"},
{:name=>"CVE-2018-20843 in python:3.4-alpine:expat", :severity=>"high", :id=>612, :url=>"http://gdk.test:3000/root/cs_test/-/security/vulnerabilities/612"}]}
Expectation: Prior to this MR vulnerabilities[].name
should be nil
while after this change it should match Vulnerabilities::Finding#name
.
- From the frontend perspective, visiting
http://<GITLAB-HOST>/<PROJECT-FULL-PATH>/-/dependencies
should have similar results to the ones in the screenshots section.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.