Make secondary identifiers match for finding
What does this MR do and why?
This MR allows semgrep findings to take over findings for existing analyzers. This is being done in support of deprecating some Static Analysis analyzers.
Issue: #328062 (closed)
This started as a proof-of-concept for #353271 (closed)
Feature Flag: update_vuln_identifiers_flag
Database Timings
- Vulnerability Finding select for records to not take over, NOT scoped to project -> https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/10534/commands/37839
- Vulnerability Finding select for records to not take over, scoped to project (currently implemented) -> https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/10530/commands/37821
- Vulnerability Finding select -> https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/10031/commands/35537
- Vulnerability Finding update ⟶ https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/10003/commands/35439
- Vulnerability Reads select -> https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/10031/commands/35540
- Vulnerability Reads update ⟶ https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/10003/commands/35443
- Vulnerability Feedback select -> https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/10031/commands/35538
Vulnerability Feedback select after adding index on feedback_uuid -> https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/10031/commands/35542- Vulnerability Feedback select after adding latest index on feedback_uuid -> https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/10040/commands/35586
- Vulnerability Feedback update ⟶ https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/10003/commands/35444j
Demo
https://drive.google.com/file/d/1F2J1Xjti_rm48gksU9-lg39kwatCSEX0/view?usp=sharing
This is a Quicktime video internal to GitLab. I would suggest View -> Playback Speed -> Double
to speed up my ummms and awkward pauses
How to set up and validate locally
- In rails console enable the feature flag
Feature.enable(:update_vuln_identifiers_flag)
- Import this project locally: https://gitlab.com/rossfuhrman/insecure
- Run a Pipeline against the main (default) branch
- Edit the
.gitlab-ci.yml
on the main branch and removesemgrep
fromSAST_EXCLUDED_ANALYZERS
- Ensure another pipeline runs on the main branch
- Notice that previous vulnerabilities are now reported as
semgrep
vulnerabilities.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by rossfuhrman