Skip to content

Implement override_uuids! for Security Reports

rossfuhrman requested to merge implement_override_uuids into master

What does this MR do?

This is the next part of https://gitlab.com/gitlab-org/gitlab/-/issues/336149

Implement override_uuids! for Security Reports. Re-assign UUIDs for the security findings based on existing vulnerability finding

Database review

The new SQL query introduced by this MR;

::Vulnerabilities::FindingSignature.by_signature_sha(finding_signature_shas).by_project(pipeline.project).eager_load_finding.index_by(&:signature_sha)
SELECT
    "vulnerability_finding_signatures"."id" AS t0_r0,
    "vulnerability_finding_signatures"."finding_id" AS t0_r1,
    "vulnerability_finding_signatures"."created_at" AS t0_r2,
    "vulnerability_finding_signatures"."updated_at" AS t0_r3,
    "vulnerability_finding_signatures"."algorithm_type" AS t0_r4,
    "vulnerability_finding_signatures"."signature_sha" AS t0_r5,
    "vulnerability_occurrences"."id" AS t1_r0,
    "vulnerability_occurrences"."created_at" AS t1_r1,
    "vulnerability_occurrences"."updated_at" AS t1_r2,
    "vulnerability_occurrences"."severity" AS t1_r3,
    "vulnerability_occurrences"."confidence" AS t1_r4,
    "vulnerability_occurrences"."report_type" AS t1_r5,
    "vulnerability_occurrences"."project_id" AS t1_r6,
    "vulnerability_occurrences"."scanner_id" AS t1_r7,
    "vulnerability_occurrences"."primary_identifier_id" AS t1_r8,
    "vulnerability_occurrences"."project_fingerprint" AS t1_r9,
    "vulnerability_occurrences"."location_fingerprint" AS t1_r10,
    "vulnerability_occurrences"."uuid" AS t1_r11,
    "vulnerability_occurrences"."name" AS t1_r12,
    "vulnerability_occurrences"."metadata_version" AS t1_r13,
    "vulnerability_occurrences"."raw_metadata" AS t1_r14,
    "vulnerability_occurrences"."vulnerability_id" AS t1_r15,
    "vulnerability_occurrences"."details" AS t1_r16,
    "vulnerability_occurrences"."description" AS t1_r17,
    "vulnerability_occurrences"."message" AS t1_r18,
    "vulnerability_occurrences"."solution" AS t1_r19,
    "vulnerability_occurrences"."cve" AS t1_r20,
    "vulnerability_occurrences"."location" AS t1_r21,
    "vulnerability_occurrences"."detection_method" AS t1_r22
FROM
    "vulnerability_finding_signatures"
    INNER JOIN "vulnerability_occurrences" ON "vulnerability_occurrences"."id" = "vulnerability_finding_signatures"."finding_id"
WHERE
    "vulnerability_finding_signatures"."signature_sha" = '\x33353661313932623739313362303463353435373464313863323864343665363339353432386162'
    AND "vulnerability_occurrences"."project_id" = 37
Nested Loop  (cost=0.98..1347.57 rows=1 width=1690) (actual time=13.171..13.173 rows=0 loops=1)
   Buffers: shared read=4
   I/O Timings: read=13.129 write=0.000
   ->  Index Scan using tmp_idx_deduplicate_vulnerability_occurrences on public.vulnerability_occurrences  (cost=0.56..419.20 rows=287 width=1635) (actual time=13.170..13.170 rows=0 loops=1)
         Index Cond: (vulnerability_occurrences.project_id = 37)
         Buffers: shared read=4
         I/O Timings: read=13.129 write=0.000
   ->  Index Scan using index_vulnerability_finding_signatures_on_finding_id on public.vulnerability_finding_signatures  (cost=0.42..3.23 rows=1 width=55) (actual time=0.000..0.000 rows=0 loops=0)
         Index Cond: (vulnerability_finding_signatures.finding_id = vulnerability_occurrences.id)
         Filter: (vulnerability_finding_signatures.signature_sha = '\x33353661313932623739313362303463353435373464313863323864343665363339353432386162'::bytea)
         Rows Removed by Filter: 0
         I/O Timings: read=0.000 write=0.000

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

-->

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Mehmet Emin INAC

Merge request reports

Loading