Skip to content

Add vulnerabilities as supported webhook events for updates

Ash McKenzie requested to merge 366770-add-vulnerabilities-as-supported-webhook-events into master

What does this MR do and why?

This MR adds support for Vulnerability webhook events, focusing specifically in this MR when Vulnerabilities are updated.

Related to Add vulnerabilities as supported webhook events (#366770)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

image

Click to show JSON webhook event example 
{
  "object_kind": "vulnerability",
  "object_attributes": {
    "url": "http://gdk.test:3000/root/vulnerabilities-webhook-events/-/security/vulnerabilities/621",
    "title": "REXML DoS vulnerability",
    "state": "confirmed",
    "project_id": 50,
    "location": {
      "file": "Gemfile.lock",
      "dependency": {
        "package": {
          "name": "rexml"
        },
        "version": "3.3.1"
      }
    },
    "cvss": [
      {
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "vendor": "NVD"
      }
    ],
    "severity": "high",
    "severity_overridden": false,
    "identifiers": [
      {
        "name": "Gemnasium-29dce398-220a-4315-8c84-16cd8b6d9b05",
        "external_id": "29dce398-220a-4315-8c84-16cd8b6d9b05",
        "external_type": "gemnasium",
        "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/rexml/CVE-2024-41123.yml"
      },
      {
        "name": "CVE-2024-41123",
        "external_id": "CVE-2024-41123",
        "external_type": "cve",
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41123"
      },
      {
        "name": "GHSA-r55c-59qm-vjw6",
        "external_id": "GHSA-r55c-59qm-vjw6",
        "external_type": "ghsa",
        "url": "https://github.com/advisories/GHSA-r55c-59qm-vjw6"
      }
    ],
    "report_type": "dependency_scanning",
    "confidence": "unknown",
    "confidence_overridden": false,
    "confirmed_at": "2024-12-09 01:51:59 UTC",
    "confirmed_by_id": 1,
    "dismissed_at": null,
    "dismissed_by_id": null,
    "resolved_on_default_branch": false,
    "created_at": "2024-11-26 07:10:16 UTC",
    "updated_at": "2024-12-09 01:51:59 UTC"
  }
}

How to set up and validate locally

Prep work

  1. Ensure you have Docker running on your machine.
  2. Run the following to start up an instance of request basket docker run --pull always --rm -ti -p 1234:55555 darklynx/request-baskets.
  3. In a new tab, visit http://localhost:1234/web, click 'Create' and then 'Open Basket'.
  4. Copy into your clipboard the URL listed as part of This basket is empty, send requests to http://localhost:1234/<basket> and they will appear here..

GDK

  1. In a new tab, bring up your GDK, ensuringe you have an EE license configured.
  2. Create a new Project, calling it vulnerabilities-webhook-events.
  3. Visit Settings > Webhooks and click 'Add a new webhook'.
  4. In the 'URL' field, enter the URL obtained from Prep work step 4.
  5. Scroll down until you see 'Vulnerability events' and check the box.
  6. Uncheck the 'Enable SSL verification' checkbox unless you have HTTPS configured for your GDK and click 'Add webhook'.
  7. From the Webhook list, click the 'Test' button and select 'Vulnerability events'.
  8. Go back to your 'request basket' tab and you should see an event in JSON format.
Edited by Ash McKenzie

Merge request reports