Skip to content

Update security report `details` field validator

Gal Katz requested to merge gkatz_update_details_validator into master

What does this MR do and why?

Updates vulnerability_finding_details.json to match the latest changes introduced in v15.1.2 - 15.1.4 of security-report-schemas.
those changes can be found here.
This change should fix https://gitlab.com/gitlab-org/gitlab/-/issues/472124+s

How to set up and validate locally

  1. Create a job that uploads a pre-defined gl-sast-report.json:
Modify the `.gitlab-ci.yml` file.
stages:
  - reproduce

repreduce:
  stage: reproduce
  script:
    - echo hello
  artifacts:
    access: 'developer'
    reports:
      sast: gl-sast-report.json
Add `gl-sast-report.json` to the root dir of the repo

This JSON complies with 15.1.4 of security-report-schemas.

{
  "version": "15.1.4",
  "vulnerabilities": [
    {
      "id": ":SKIP:",
      "category": "sast",
      "name": "Active debug code",
      "description": "hello",
      "cve": "gitlab-advanced-sast_id:python-flask-rule-app-debug-atomic:13:13",
      "severity": "Medium",
      "scanner": {
        "id": "gitlab-advanced-sast",
        "name": "GitLab Advanced SAST"
      },
      "location": {
        "file": "app/app.py",
        "start_line": 13
      },
      "identifiers": [
        {
          "type": "gitlab-advanced-sast_id",
          "name": "python-flask-rule-app-debug-atomic",
          "value": "python-flask-rule-app-debug-atomic"
        }
      ]
    },
    {
      "id": ":SKIP:",
      "category": "sast",
      "name": "hello",
      "cve": "gitlab-advanced-sast_id:python-lang-cmdi-system-call-taint:5:5",
      "severity": "Critical",
      "scanner": {
        "id": "gitlab-advanced-sast",
        "name": "GitLab Advanced SAST"
      },
      "location": {
        "file": "app/utils.py",
        "start_line": 5
      },
      "identifiers": [
        {
          "type": "gitlab-advanced-sast_id",
          "name": "python-lang-cmdi-system-call-taint",
          "value": "python-lang-cmdi-system-call-taint"
        }
      ],
      "tracking": {
        "type": "source",
        "items": [
          {
            "file": "app/utils.py",
            "line_start": 5,
            "line_end": 5,
            "signatures": [
              {
                "algorithm": "scope_offset",
                "value": "app/utils.py|process_input[0]:2"
              }
            ]
          }
        ]
      },
      "details": {
        "code_flows": {
          "items": [
            [
              {
                "file_location": {
                  "file_name": "app/app.py",
                  "line_end": 8,
                  "line_start": 8,
                  "type": "file-location"
                },
                "node_type": "source",
                "type": "code-flow-node"
              },
              {
                "file_location": {
                  "file_name": "app/app.py",
                  "line_end": 8,
                  "line_start": 8,
                  "type": "file-location"
                },
                "node_type": "propagation",
                "type": "code-flow-node"
              },
              {
                "file_location": {
                  "file_name": "app/app.py",
                  "line_end": 9,
                  "line_start": 9,
                  "type": "file-location"
                },
                "node_type": "propagation",
                "type": "code-flow-node"
              },
              {
                "file_location": {
                  "file_name": "app/utils.py",
                  "line_end": 4,
                  "line_start": 4,
                  "type": "file-location"
                },
                "node_type": "propagation",
                "type": "code-flow-node"
              },
              {
                "file_location": {
                  "file_name": "app/utils.py",
                  "line_end": 5,
                  "line_start": 5,
                  "type": "file-location"
                },
                "node_type": "sink",
                "type": "code-flow-node"
              }
            ]
          ],
          "name": "code_flows",
          "type": "code-flows"
        }

      }
    }
  ],

  "dependency_files": null,
  "scan": {
    "analyzer": {
      "id": "gitlab-advanced-sast",
      "name": "GitLab Advanced SAST",
      "url": "https://gitlab.com/gitlab-org/security-products/analyzers/gitlab-advanced-sast-src",
      "vendor": {
        "name": "GitLab"
      },
      "version": ":SKIP:"
    },
    "scanner": {
      "id": "gitlab-advanced-sast",
      "name": "GitLab Advanced SAST",
      "url": "https://gitlab.com",
      "vendor": {
        "name": "GitLab"
      },
      "version": ":SKIP:"
    },
    "type": "sast",
    "start_time": "1234-11-11T33:22:22",
    "end_time": "1234-11-11T33:22:22",
    "status": "success"
  }
}
  1. Run the pipeline.

  2. Make sure the ingestion successfully finished.

Related issue:

https://gitlab.com/gitlab-org/gitlab/-/issues/472124+s

Edited by Gal Katz

Merge request reports

Loading