Merge branch '263497-add-parsing-details-from-vulnerability-findings' into 'master'

Add parsing details from security reports

See merge request gitlab-org/gitlab!49107

app/validators/json_schemas/vulnerability_finding_details.json

 {
   "type": "object",
   "description": "The schema for vulnerability finding details",
-  "additionalProperties": false
+  "additionalProperties": false,
+  "patternProperties": {
+    "^.*$": {
+      "allOf": [
+        { "$ref": "#/definitions/named_field" },
+        { "$ref": "#/definitions/type_list" }
+      ]
+    }
+  },
+  "definitions": {
+    "type_list": {
+      "oneOf": [
+        { "$ref": "#/definitions/named_list" },
+        { "$ref": "#/definitions/list" },
+        { "$ref": "#/definitions/table" },
+
+        { "$ref": "#/definitions/text" },
+        { "$ref": "#/definitions/url" },
+        { "$ref": "#/definitions/code" },
+        { "$ref": "#/definitions/int" },
+
+        { "$ref": "#/definitions/commit" },
+        { "$ref": "#/definitions/file_location" },
+        { "$ref": "#/definitions/module_location" }
+      ]
+    },
+    "lang_text": {
+      "type": "object",
+      "required": [ "value", "lang" ],
+      "properties": {
+        "lang": { "type": "string" },
+        "value": { "type": "string" }
+      }
+    },
+    "lang_text_list": {
+      "type": "array",
+      "items": { "$ref": "#/definitions/lang_text" }
+    },
+    "named_field": {
+      "type": "object",
+      "required": [ "name" ],
+      "properties": {
+        "name": { "$ref": "#/definitions/lang_text_list" },
+        "description": { "$ref": "#/definitions/lang_text_list" }
+      }
+    },
+    "named_list": {
+      "type": "object",
+      "description": "An object with named and typed fields",
+      "required": [ "type", "items" ],
+      "properties": {
+        "type": { "const": "named-list" },
+        "items": {
+          "type": "object",
+          "patternProperties": {
+            "^.*$": {
+              "allOf": [
+                { "$ref": "#/definitions/named_field" },
+                { "$ref": "#/definitions/type_list" }
+              ]
+            }
+          }
+        }
+      }
+    },
+    "list": {
+      "type": "object",
+      "description": "A list of typed fields",
+      "required": [ "type", "items" ],
+      "properties": {
+        "type": { "const": "list" },
+        "items": {
+          "type": "array",
+          "items": { "$ref": "#/definitions/type_list" }
+        }
+      }
+    },
+    "table": {
+      "type": "object",
+      "description": "A table of typed fields",
+      "required": [],
+      "properties": {
+        "type": { "const": "table" },
+        "items": {
+          "type": "object",
+          "properties": {
+            "header": {
+              "type": "array",
+              "items": {
+                "$ref": "#/definitions/type_list"
+              }
+            },
+            "rows": {
+              "type": "array",
+              "items": {
+                "type": "array",
+                "items": {
+                  "$ref": "#/definitions/type_list"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "text": {
+      "type": "object",
+      "description": "Raw text",
+      "required": [ "type", "value" ],
+      "properties": {
+        "type": { "const": "text" },
+        "value": { "$ref": "#/definitions/lang_text_list" }
+      }
+    },
+    "url": {
+      "type": "object",
+      "description": "A single URL",
+      "required": [ "type", "href" ],
+      "properties": {
+        "type": { "const": "url" },
+        "text": { "$ref": "#/definitions/lang_text_list" },
+        "href": { "type": "string" }
+      }
+    },
+    "code": {
+      "type": "object",
+      "description": "A codeblock",
+      "required": [ "type", "value" ],
+      "properties": {
+        "type": { "const": "code" },
+        "value": { "type": "string" },
+        "lang": { "type": "string" }
+      }
+    },
+    "int": {
+      "type": "object",
+      "description": "An integer",
+      "required": [ "type", "value" ],
+      "properties": {
+        "type": { "const": "int" },
+        "value": { "type": "integer" },
+        "format": {
+          "type": "string",
+          "enum": [ "default", "hex" ]
+        }
+      }
+    },
+    "commit": {
+      "type": "object",
+      "description": "A specific commit within the project",
+      "required": [ "type", "value" ],
+      "properties": {
+        "type": { "const": "commit" },
+        "value": { "type": "string", "description": "The commit SHA" }
+      }
+    },
+    "file_location": {
+      "type": "object",
+      "description": "A location within a file in the project",
+      "required": [ "type", "file_name", "line_start" ],
+      "properties": {
+        "type": { "const": "file-location" },
+        "file_name": { "type": "string" },
+        "line_start": { "type": "integer" },
+        "line_end": { "type": "integer" }
+      }
+    },
+    "module_location": {
+      "type": "object",
+      "description": "A location within a binary module of the form module+relative_offset",
+      "required": [ "type", "module_name", "offset" ],
+      "properties": {
+        "type": { "const": "module-location" },
+        "module_name": { "type": "string" },
+        "offset": { "type": "integer" }
+      }
+    }
+  }
 }

ee/changelogs/unreleased/263497-add-parsing-details-from-vulnerability-findings.yml

+---
+title: Add parsing details from security reports
+merge_request: 49107
+author:
+type: added

ee/lib/gitlab/ci/parsers/security/common.rb

@@ -74,7 +74,8 @@ module Gitlab
                 links: links,
                 remediations: remediations,
                 raw_metadata: data.to_json,
-                metadata_version: version))
+                metadata_version: version,
+                details: data['details'] || {}))
           end
 
           def create_scan(report, scan_data)

ee/lib/gitlab/ci/reports/security/finding.rb

@@ -23,10 +23,11 @@ module Gitlab
           attr_reader :severity
           attr_reader :uuid
           attr_reader :remediations
+          attr_reader :details
 
           delegate :file_path, :start_line, :end_line, to: :location
 
-          def initialize(compare_key:, identifiers:, links: [], remediations: [], location:, metadata_version:, name:, raw_metadata:, report_type:, scanner:, scan:, uuid:, confidence: nil, severity: nil) # rubocop:disable Metrics/ParameterLists
+          def initialize(compare_key:, identifiers:, links: [], remediations: [], location:, metadata_version:, name:, raw_metadata:, report_type:, scanner:, scan:, uuid:, confidence: nil, severity: nil, details: {}) # rubocop:disable Metrics/ParameterLists
             @compare_key = compare_key
             @confidence = confidence
             @identifiers = identifiers
@@ -41,6 +42,7 @@ module Gitlab
             @severity = severity
             @uuid = uuid
             @remediations = remediations
+            @details = details
 
             @project_fingerprint = generate_project_fingerprint
           end
@@ -61,6 +63,7 @@ module Gitlab
               scan
               severity
               uuid
+              details
             ].each_with_object({}) do |key, hash|
               hash[key] = public_send(key) # rubocop:disable GitlabSecurity/PublicSend
             end

ee/spec/fixtures/security_reports/master/gl-common-scanning-report.json

@@ -18,7 +18,25 @@
                 {
                     "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1020"
                 }
-            ]
+            ],
+            "details": {
+                "commit": {
+                    "name": [
+                        {
+                            "lang": "en",
+                            "value": "The Commit"
+                        }
+                    ],
+                    "description": [
+                        {
+                            "lang": "en",
+                            "value": "Commit where the vulnerability was identified"
+                        }
+                    ],
+                    "type": "commit",
+                    "value": "41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19"
+                }
+            }
         },
         {
             "id": "bb2fbeb1b71ea360ce3f86f001d4e84823c3ffe1a1f7d41ba7466b14cfa953d3",

ee/spec/lib/gitlab/ci/parsers/security/common_spec.rb

@@ -65,6 +65,26 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
       end
     end
 
+    context 'parsing finding.details' do
+      let(:artifact) { build(:ee_ci_job_artifact, :common_security_report) }
+
+      context 'when details are provided' do
+        it 'sets details from the report' do
+          vulnerability = report.findings.find { |x| x.compare_key == 'CVE-1020' }
+          expected_details = Gitlab::Json.parse(vulnerability.raw_metadata)['details']
+
+          expect(vulnerability.details).to eq(expected_details)
+        end
+      end
+
+      context 'when details are not provided' do
+        it 'sets empty hash' do
+          vulnerability = report.findings.find { |x| x.compare_key == 'CVE-1030' }
+          expect(vulnerability.details).to eq({})
+        end
+      end
+    end
+
     context 'parsing remediations' do
       let(:expected_remediation) { create(:ci_reports_security_remediation, diff: '') }
 

ee/spec/lib/gitlab/ci/reports/security/finding_spec.rb

@@ -30,7 +30,25 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
         scanner: scanner,
         scan: nil,
         severity: :high,
-        uuid: 'cadf8cf0a8228fa92a0f4897a0314083bb38'
+        uuid: 'cadf8cf0a8228fa92a0f4897a0314083bb38',
+        details: {
+          'commit' => {
+            'name' => [
+              {
+                'lang' => 'en',
+                'value' => 'The Commit'
+              }
+            ],
+            'description' => [
+              {
+                'lang' => 'en',
+                'value' => 'Commit where the vulnerability was identified'
+              }
+            ],
+            'type' => 'commit',
+            'value' => '41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19'
+          }
+        }
       }
     end
 
@@ -52,7 +70,25 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
           report_type: :sast,
           scanner: scanner,
           severity: :high,
-          uuid: 'cadf8cf0a8228fa92a0f4897a0314083bb38'
+          uuid: 'cadf8cf0a8228fa92a0f4897a0314083bb38',
+          details: {
+            'commit' => {
+              'name' => [
+                {
+                  'lang' => 'en',
+                  'value' => 'The Commit'
+                }
+              ],
+              'description' => [
+                {
+                  'lang' => 'en',
+                  'value' => 'Commit where the vulnerability was identified'
+                }
+              ],
+              'type' => 'commit',
+              'value' => '41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19'
+            }
+          }
         )
       end
     end
@@ -100,7 +136,8 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
         scanner: occurrence.scanner,
         scan: occurrence.scan,
         severity: occurrence.severity,
-        uuid: occurrence.uuid
+        uuid: occurrence.uuid,
+        details: occurrence.details
       })
     end
   end