Skip to content

Replace message by name for vulnerabilities

What does this MR do and why?

Although some scanners, like in this example, still populates vulnerabilities[].message, the security report schema has been updated not to include it.

The dependency list formatter is still relying on vulnerabilities[].message in order to set name.

This MR replace message by name which already exist for the vulnerabilities.

Related issue: #395726 (closed)

Screenshots or screen recordings

Before After
Screenshot_2023-03-31_at_16.35.12 Screenshot_2023-03-31_at_16.34.03

How to set up and validate locally

  1. Create a project with the following file:

.gitlab-ci.yml:

container_scanning:
  variables:
    DOCKER_IMAGE: python:3.4-alpine

include:
- template: Security/Container-Scanning.gitlab-ci.yml
  1. Run a new pipeline

  2. Using rails console, this Ci::Pipeline.find(<THE-ID-OF-THE-PIPELINE>).dependency_list_report.dependencies should return something similar to:

{:name=>"expat",
  :packager=>"alpine:3.9.2 (apk)",
  :package_manager=>"alpine:3.9.2 (apk)",
  :location=>{:blob_path=>"/root/cs_test/-/blob/376e52aea61b8d18430e65bd469f84de54523453/container-image:python:3.4-alpine", :path=>"container-image:python:3.4-alpine"},
  :version=>"2.2.6-r0",
  :licenses=>[],
  :vulnerabilities=>
   [{:name=>"CVE-2019-15903 in python:3.4-alpine:expat", :severity=>"high", :id=>589, :url=>"http://gdk.test:3000/root/cs_test/-/security/vulnerabilities/589"},
    {:name=>"CVE-2018-20843 in python:3.4-alpine:expat", :severity=>"high", :id=>612, :url=>"http://gdk.test:3000/root/cs_test/-/security/vulnerabilities/612"}]}

Expectation: Prior to this MR vulnerabilities[].name should be nil while after this change it should match Vulnerabilities::Finding#name.

  1. From the frontend perspective, visiting http://<GITLAB-HOST>/<PROJECT-FULL-PATH>/-/dependencies should have similar results to the ones in the screenshots section.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Zamir Martins

Merge request reports

Loading