Skip to content

Make starboard_vulnerability API ingest the same data structures as security reports

Brian Williams requested to merge bwill/vulnerability-report-parity into master

What does this MR do and why?

Based on feedback received in gitlab-org/cluster-integration/gitlab-agent!494 (comment 679617761), the data structures of this API should be consistent with that of the security report schemas implemented in gitlab-org/security-products/security-report-schemas!83 (merged). This MR updates the API request body to achieve consistency.

  • The location hash now includes all the fields, including those which are required.
  • vendor has been changed to vendor.name in order to match the existing schema.

This is a non-breaking change because this endpoint is part of the internal API and the only client for this API is not yet implemented. (The client is being implemented in gitlab-org/cluster-integration/gitlab-agent!494 (merged))

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

  1. Create a new KAS JWT using the rails console:

    JWT.encode({ 'iss' => Gitlab::Kas::JWT_ISSUER }, Gitlab::Kas.secret, 'HS256')

  2. Create a new gitlab project

  3. Create new agent:

    agent = Clusters::Agent.new(project_id: project.id, created_by_user: User.find(1), name: "test-agent")
agent.save!

  4. Create new agent token and retrieve the value

    token = Clusters::AgentToken.new(agent: agent, created_by_user: User.find(1), name: "test-agent-token")
token.save!
token.token

  5. Send the API request:

    curl --request PUT --include \
     --header "Gitlab-Kas-Api-Request: $KAS_JWT" \
     --header "Authorization: Bearer $AGENT_TOKEN" --header "Content-Type: application/json" \
     --url "http://localhost:3000/api/v4/internal/kubernetes/modules/starboard_vulnerability" \
     --data '{
   "vulnerability": {
     "name": "CVE-123-4567 in libc",
     "severity": "high",
     "confidence": "unknown",
     "location": {
       "image": "index.docker.io/library/nginx:latest",
       "kubernetes_resource": {
         "namespace": "production",
         "kind": "deployment",
         "name": "nginx",
         "container_name": "nginx",
         "agent_id": "2"
       },
       "dependency": {
         "package": {
           "name": "libc"
         },
         "version": "v1.2.3"
       }
     },
     "identifiers": [
       {
         "type": "cve",
         "name": "CVE-123-4567",
         "value": "CVE-123-4567"
       }
     ]
   },
   "scanner": {
     "id": "starboard_trivy",
     "name": "Trivy (via Starboard Operator)",
     "vendor": {
       "name": "GitLab"
     }
   }
 }'

  6. Vulnerability now exists on your project (not currently visible on vulnerability report due to #339730 (closed)):

    Project.find(id).vulnerabilities

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brian Williams

Merge request reports