Merge branch 'bwill/vulnerability-report-parity' into 'master'

Make starboard_vulnerability API ingest the same data structures as security reports See merge request gitlab-org/gitlab!71066

Merge branch 'bwill/vulnerability-report-parity' into 'master'
Make starboard_vulnerability API ingest the same data structures as security reports See merge request gitlab-org/gitlab!71066
1e87d6d4 · Rémy Coutable · f2053ebd · f5a3bca6 · 1e87d6d4 · 1e87d6d4
Commit 1e87d6d4 authored Nov 02, 2021 by Rémy Coutable
5 changed files
--- a/ee/app/services/vulnerabilities/create_service_base.rb
+++ b/ee/app/services/vulnerabilities/create_service_base.rb
@@ -97,6 +97,7 @@ module Vulnerabilities
      Vulnerabilities::Scanner.find_or_initialize_by(name: name) do |s|
        s.project = @project
        s.external_id = scanner_hash[:id]
+        s.vendor = scanner_hash.dig(:vendor, :name)
      end
    end
    # rubocop: enable CodeReuse/ActiveRecord

--- a/ee/app/services/vulnerabilities/starboard_vulnerability_create_service.rb
+++ b/ee/app/services/vulnerabilities/starboard_vulnerability_create_service.rb
@@ -18,9 +18,7 @@ module Vulnerabilities
      raise Gitlab::Access::AccessDeniedError unless authorized?

      vulnerability_hash = @params[:vulnerability]
-      vulnerability_hash[:state] = :detected
      vulnerability = initialize_vulnerability(vulnerability_hash)
-      vulnerability.title = vulnerability_hash[:name]&.truncate(::Issuable::TITLE_LENGTH_MAX)
      identifiers = initialize_identifiers(@params.dig(:vulnerability, :identifiers))
      scanner = initialize_scanner(@params[:scanner])
      finding = initialize_finding(
@@ -71,5 +69,10 @@ module Vulnerabilities

      Digest::SHA1.hexdigest(fingerprint_data)
    end
+
+    def initialize_vulnerability(vulnerability_hash)
+      vulnerability_hash[:state] = :detected
+      super(vulnerability_hash)
+    end
  end
 end
--- a/ee/lib/ee/api/internal/kubernetes.rb
+++ b/ee/lib/ee/api/internal/kubernetes.rb
@@ -62,9 +62,31 @@ module EE
                params do
                  requires :vulnerability, type: Hash, desc: 'Vulnerability details matching the `vulnerability` object on the security report schema' do
                    requires :name, type: String
-                    requires :severity, type: String
-                    requires :confidence, type: String
-                    requires :location, type: Hash
+                    requires :severity, type: String, coerce_with: ->(s) { s.downcase }
+                    requires :confidence, type: String, coerce_with: ->(c) { c.downcase }
+
+                    requires :location, type: Hash do
+                      requires :image, type: String
+
+                      requires :dependency, type: Hash do
+                        requires :package, type: Hash do
+                          requires :name, type: String
+                        end
+
+                        optional :version, type: String
+                      end
+
+                      requires :kubernetes_resource, type: Hash do
+                        requires :namespace, type: String
+                        requires :name, type: String
+                        requires :kind, type: String
+                        requires :container_name, type: String
+                        requires :agent_id, type: String
+                      end
+
+                      optional :operating_system, type: String
+                    end
+
                    requires :identifiers, type: Array do
                      requires :type, type: String
                      requires :name, type: String
@@ -77,11 +99,13 @@ module EE
                    optional :solution, type: String
                    optional :links, type: Array
                  end
+
                  requires :scanner, type: Hash, desc: 'Scanner details matching the `.scan.scanner` field on the security report schema' do
                    requires :id, type: String
                    requires :name, type: String
-
-                    optional :vendor, type: String
+                    requires :vendor, type: Hash do
+                      requires :name, type: String
+                    end
                  end
                end


--- a/ee/spec/requests/api/internal/kubernetes_spec.rb
+++ b/ee/spec/requests/api/internal/kubernetes_spec.rb
@@ -232,14 +232,22 @@ RSpec.describe API::Internal::Kubernetes do
        {
          vulnerability: {
            name: 'CVE-123-4567 in libc',
-            severity: 'high',
-            confidence: 'unknown',
+            severity: 'High',
+            confidence: 'Unknown',
            location: {
+              image: 'index.docker.io/library/nginx:latest',
              kubernetes_resource: {
                namespace: 'production',
                kind: 'deployment',
-                name: 'nginx',
-                container: 'nginx'
+                name: 'nginx-ingress',
+                container_name: 'nginx',
+                agent_id: '1'
+              },
+              dependency: {
+                package: {
+                  name: 'libc'
+                },
+                version: 'v1.2.3'
              }
            },
            identifiers: [
@@ -253,7 +261,9 @@ RSpec.describe API::Internal::Kubernetes do
          scanner: {
            id: 'starboard_trivy',
            name: 'Trivy (via Starboard Operator)',
-            vendor: 'GitLab'
+            vendor: {
+              name: 'GitLab'
+            }
          }
        }
      end
@@ -276,6 +286,18 @@ RSpec.describe API::Internal::Kubernetes do
        end
      end

+      context 'when required parameters are missing' do
+        where(:missing_param) { %i[vulnerability scanner] }
+
+        with_them do
+          it 'returns bad request' do
+            send_request(params: payload.delete(missing_param))
+
+            expect(response).to have_gitlab_http_status(:bad_request)
+          end
+        end
+      end
+
      context 'when feature is not available' do
        before do
          stub_licensed_features(security_dashboard: false)

--- a/ee/spec/services/vulnerabilities/starboard_vulnerability_create_service_spec.rb
+++ b/ee/spec/services/vulnerabilities/starboard_vulnerability_create_service_spec.rb
@@ -33,7 +33,9 @@ RSpec.describe Vulnerabilities::StarboardVulnerabilityCreateService do
      scanner: {
        id: 'starboard_trivy',
        name: 'Trivy (via Starboard Operator)',
-        vendor: 'GitLab'
+        vendor: {
+          name: 'GitLab'
+        }
      }
    }
  end
@@ -69,6 +71,7 @@ RSpec.describe Vulnerabilities::StarboardVulnerabilityCreateService do
        scanner = finding.scanner
        expect(scanner.external_id).to eq(params.dig(:scanner, :id))
        expect(scanner.name).to eq(params.dig(:scanner, :name))
+        expect(scanner.vendor).to eq(params.dig(:scanner, :vendor, :name))
      end
    end