Match Container Scanning SBOM components against new Operating System security advisories
What does this MR do and why?
Refactor AffectedVersionRangeMatcher class
Refactor AffectedVersionRangeMatcher class to work with Container Scanning advisories.
Changelog: added EE: true
Fixes factory
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Related to #426817 (closed)
Verification steps
Create a project with gl-sbom-report.cdx.json and make sure that the components are ingested. This SBOM was generated using hacks4oats/426817-debian-base-project.
software_composition_analysis:
image: busybox:1
stage: test
script:
- echo 'Uploading CycloneDX SBOM reports'
- find . -iname 'gl-sbom-*.cdx.json' -print
artifacts:
paths:
- '**/gl-sbom-*.cdx.json'
reports:
cyclonedx: '**/gl-sbom-*.cdx.json'
Make sure that you have ingested the latest Alpine advisories. Query the advisory that corresponds to the squid
base package. Run the following in the Rails console.
advisory = PackageMetadata::Advisory.find_by(advisory_xid: 'CVE-2023-6174')
# This advisory was found doing the following
# 1. Find the latest advisory export for Debian by sorting in reverse order.
# Since we use timestamps and sequences the `ls -r` trick works well here.
# 2. Filter the advisories out so that we only get unpatched advisories on Debian 10.
# Debian 10 (buster) is no longer receiving security updates, so this provides
# stability in terms of using an unpatched package. See https://endoflife.date/debian.
# 3. Pick any of the advisories from the result list. In this case, I chose a wireshark advisory.
➜ pm_advisories ls -1r v2/deb/*/*.ndjson | head -n1
v2/deb/1707123823/000000000.ndjson
➜ pm_advisories jq -s '[.[]] | map(select(.packages | any(.affected_range == "*" and .distro == "debian 10")))' v2/deb/1707123823/000000000.ndjson
Advisory:
{
"advisory": {
"id": "CVE-2023-6174",
"source": "trivy-db",
"title": "wireshark: SSH dissector invalid read of memory blocks",
"description": "SSH dissector crash in Wireshark 4.0.0 to 4.0.10 allows denial of service via packet injection or crafted capture file",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"published_date": "2023-11-16 12:15:07.24 +0000 UTC",
"urls": [
"https://access.redhat.com/security/cve/CVE-2023-6174",
"https://gitlab.com/wireshark/wireshark/-/issues/19369",
"https://nvd.nist.gov/vuln/detail/CVE-2023-6174",
"https://security.gentoo.org/glsa/202402-09",
"https://www.cve.org/CVERecord?id=CVE-2023-6174",
"https://www.debian.org/security/2023/dsa-5559",
"https://www.wireshark.org/security/wnpa-sec-2023-28.html"
],
"identifiers": [
{
"type": "cve",
"name": "CVE-2023-6174",
"value": "CVE-2023-6174",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6174"
},
{
"type": "cwe",
"name": "CWE-74",
"value": "74",
"url": "https://cwe.mitre.org/data/definitions/74.html"
},
{
"type": "cwe",
"name": "CWE-125",
"value": "125",
"url": "https://cwe.mitre.org/data/definitions/125.html"
}
]
},
"packages": [
{
"name": "wireshark",
"purl_type": "deb",
"affected_range": "<4.0.11-1~deb12u1",
"fixed_versions": [
"4.0.11-1~deb12u1"
],
"distro": "debian 12"
},
{
"name": "wireshark",
"purl_type": "deb",
"affected_range": "<4.0.11-1",
"fixed_versions": [
"4.0.11-1"
],
"distro": "debian 13"
},
{
"name": "wireshark",
"purl_type": "deb",
"affected_range": "*",
"distro": "debian 10"
}
]
Run a continuous scan for this advisory:
Gitlab::EventStore.publish(
PackageMetadata::IngestedAdvisoryEvent.new(data: { advisory_id: advisory.id }))
Verify that the continuous scan creates a vulnerability in the project.
Edited by Oscar Tovar