Add cluster_id filtering for vulnerabilites graphql query (!71807) · Merge requests · GitLab.org / GitLab

Sashi Kumar Kumaresan requested to merge sk/337926-add-cluster-filter into master Oct 06, 2021

What does this MR do and why?

This MR adds cluster_id to vulnerabilities graphql query.

database Analysis

A GIN index already exists on vulnerability_occurrences table for cluster_id field inside location column which was introduced here: !72882 (merged)

 SELECT
        * 
    FROM
        vulnerabilities 
    INNER JOIN
        vulnerability_occurrences 
            ON vulnerability_occurrences.vulnerability_id = vulnerabilities.id 
    WHERE
        vulnerabilities.project_id = 27958807 
        AND vulnerability_occurrences.report_type = 7 
        AND (
            vulnerability_occurrences.location -> 'cluster_id' ?| array['153813']
        ) 
    ORDER BY
        vulnerabilities.severity DESC,
        vulnerabilities.id DESC LIMIT 100;

Query Performance: console.postgres.ai

EXPLAIN Result

 Limit  (cost=18.33..18.34 rows=1 width=1971) (actual time=0.635..0.637 rows=0 loops=1)
   Buffers: shared hit=7 read=1
   I/O Timings: read=0.082 write=0.000
   ->  Sort  (cost=18.33..18.34 rows=1 width=1971) (actual time=0.633..0.635 rows=0 loops=1)
         Sort Key: vulnerabilities.severity DESC, vulnerabilities.id DESC
         Sort Method: quicksort  Memory: 25kB
         Buffers: shared hit=7 read=1
         I/O Timings: read=0.082 write=0.000
         ->  Nested Loop  (cost=3.56..18.32 rows=1 width=1971) (actual time=0.473..0.474 rows=0 loops=1)
               Buffers: shared hit=1 read=1
               I/O Timings: read=0.082 write=0.000
               ->  Bitmap Heap Scan on public.vulnerability_occurrences  (cost=3.00..7.56 rows=3 width=1646) (actual time=0.471..0.472 rows=0 loops=1)
                     Buffers: shared hit=1 read=1
                     I/O Timings: read=0.082 write=0.000
                     ->  Bitmap Index Scan using index_vulnerability_occurrences_on_location_cluster_id  (cost=0.00..3.00 rows=3 width=0) (actual time=0.417..0.418 rows=0 loops=1)
                           Index Cond: ((vulnerability_occurrences.location -> 'cluster_id'::text) ?| '{153813}'::text[])
                           Buffers: shared hit=1 read=1
                           I/O Timings: read=0.082 write=0.000
               ->  Index Scan using vulnerabilities_pkey on public.vulnerabilities  (cost=0.56..3.58 rows=1 width=315) (actual time=0.000..0.000 rows=0 loops=0)
                     Index Cond: (vulnerabilities.id = vulnerability_occurrences.vulnerability_id)
                     Filter: (vulnerabilities.project_id = 27958807)
                     Rows Removed by Filter: 0
                     I/O Timings: read=0.000 write=0.000

Screenshots or screen recordings

With existing cluster id

With non-existing cluster id

GraphQL query

query {
  project(fullPath:"root/test-kas") {
    vulnerabilities(clusterId: ["gid://gitlab/Clusters::Cluster/1"]) {
      nodes {
        id
        title
      }
    }
  }
}

How to set up and validate locally

Setup Cluster Image Scanning following the documentation

But it will be difficult to setup kubernetes cluster for this, so the easy way to test will be to add this stage in a project in .gitlab-ci.yml:

cluster_image_scanning:
  stage: test
  artifacts:
    reports:
      cluster_image_scanning: gl-cluster-image-scanning-report.json
    paths: [gl-cluster-image-scanning-report.json]
  script:
    - wget http://gdk.test:3000/{project_path}/-/raw/main/gl-cluster-image-scanning-report.json -O gl-container-scanning-report.json

and add this json content to gl-cluster-image-scanning-report.json to the root of the project:

gl-cluster-image-scanning

{
  "version": "2.3",
  "vulnerabilities": [
    {
      "category": "cluster_image_scanning",
      "message": "CVE-2017-18269 in glibc",
      "description": "An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution.",
      "cve": "debian:9:glibc:CVE-2017-18269",
      "severity": "Critical",
      "confidence": "Unknown",
      "solution": "Upgrade glibc from 2.24-11+deb9u3 to 2.24-11+deb9u4",
      "scanner": {
        "id": "starboard",
        "name": "Starboard"
      },
      "location": {
        "dependency": {
          "package": {
            "name": "glibc"
          },
          "version": "2.24-11+deb9u3"
        },
        "operating_system": "debian:9",
        "image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e",
        "cluster_id": "1"
      },
      "identifiers": [
        {
          "type": "cve",
          "name": "CVE-2017-18269",
          "value": "CVE-2017-18269",
          "url": "https://security-tracker.debian.org/tracker/CVE-2017-18269"
        }
      ],
      "links": [
        {
          "url": "https://security-tracker.debian.org/tracker/CVE-2017-18269"
        }
      ]
    },
    {
      "category": "cluster_image_scanning",
      "message": "CVE-2017-16997 in glibc",
      "description": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.",
      "cve": "debian:9:glibc:CVE-2017-16997",
      "severity": "Critical",
      "confidence": "Unknown",
      "solution": "Upgrade glibc from 2.24-11+deb9u3 to 2.24-11+deb9u4",
      "scanner": {
        "id": "starboard",
        "name": "Starboard"
      },
      "location": {
        "dependency": {
          "package": {
            "name": "glibc"
          },
          "version": "2.24-11+deb9u3"
        },
        "operating_system": "debian:9",
        "image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e",
        "cluster_id": "1"
      },
      "identifiers": [
        {
          "type": "cve",
          "name": "CVE-2017-16997",
          "value": "CVE-2017-16997",
          "url": "https://security-tracker.debian.org/tracker/CVE-2017-16997"
        }
      ],
      "links": [
        {
          "url": "https://security-tracker.debian.org/tracker/CVE-2017-16997"
        }
      ]
    }
  ],
  "remediations": [],
  "scan": {
    "scanner": {
      "id": "starboard",
      "name": "Starboard",
      "url": "https://github.com/aquasecurity/starboard",
      "vendor": {
        "name": "GitLab"
      },
      "version": "0.10.0"
    },
    "type": "cluster_image_scanning",
    "status": "success"
  }
}

This will inject the sample report artifact that the actual analyzer will produce if run on a kubernetes cluster.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Nov 04, 2021 by Sashi Kumar Kumaresan

Add cluster_id filtering for vulnerabilites graphql query