Add scan.analyzer to describe the analyzer running the scan (!74) · Merge requests · GitLab.org / security-products / Security Report Schemas

Cameron Swords requested to merge add-scan-analyzer into master May 07, 2021

What does this MR do?

As discussed in https://gitlab.com/gitlab-data/analytics/-/issues/8780#note_568943705, it would be of benefit to add the version of the analyzer to the JSON report.

This resolves issue gitlab-org/gitlab#235393 (closed) and will allow the information to be tracked as part of gitlab-org/gitlab#329157 (closed).

Proposal

Proposes to add the following fields:

scan.analyzer.id, representing the ID of an analyzer (e.g. dast)
scan.analyzer.name, representing the name of an analyzer (e.g. GitLab DAST)
scan.analyzer.version, representing the version of an analyzer (e.g. 1.34.0)
scan.analyzer.url, representing the URL where to find more information about an analyzer
scan.analyzer.vendor.name, representing the name of the vendor (e.g. GitLab)

An example of what this looks like:

"scan": {
  "analyzer": {
    "id": "gitlab-dast",
    "name": "GitLab DAST",
    "url": "https://docs.gitlab.com/ee/user/application_security/dast/",
    "version": "1.50.0",
    "vendor": {
      "name": "GitLab"
    }
  }
}

Differences between `scan.analyzer` and `scan.scanner`

This MR proposes that scan.analyzer be used to describe the Docker image/process running the scan. If the process delegates to an underlying scanner, this can be described using scan.scanner.

It is likely that many third-party tools do not use an underlying scanner, as such, it may be in our interests to make scan.scanner optional. This hasn't been done in this MR, happy to hear feedback on the idea.

scan.analyzer is optional given that we're trying to make all additions to the schema ADDITION changes, however, there is a good case to make this required in future.

Issues with `scan.scanner`

scan.scanner contains the vendor field. This is currently used incorrectly (by DAST, at least). For example, the following snippet is what DAST produces for scan.scanner in the JSON report. You can see the vendor, GitLab, is not actually the vendor of the scanner, ZAP. Ideally, scan.scanner.vendor should be deprecated and replaced with scan.analyzer.vendor. This would be a MODEL change. As a transitionary step, this MR proposes adding scan.analyzer.vendor so that scan.scanner.vendor can eventually represent the scanner vendor.

"scan": {
  "scanner": {
    "id": "zaproxy",
    "name": "OWASP Zed Attack Proxy (ZAP)",
    "url": "https://www.zaproxy.org",
    "version": "D-2020-08-26",
    "vendor": {
      "name": "GitLab"
    }
  }
}

How to get the version for output in the JSON report?

DAST retrieves the version at runtime in system.py. Similarly, Browserker embeds the version while building the analyzer in the Dockerfile.

Availability and Testing

Review and add/update tests for this feature/bug

Reviewed by

groupcomposition analysis @fcatteau (checked by cam_swords as Fabien has approved this MR)
groupstatic analysis @theoretick
groupdynamic analysis @craigmsmith
~"group::fuzz testing" @mikeeddington
groupthreat insights @minac (checked by cam_swords as Mehmet has approved this MR)
@adamcohen (checked by cam_swords as Adam has approved this MR)

Edited May 24, 2021 by Cameron Swords

Add scan.analyzer to describe the analyzer running the scan