Commit 7d4aef76 authored by Craig Smith's avatar Craig Smith Committed by Igor Drozdov

Add scanned resources to Security::Report

parent fbaeb915
...@@ -42,6 +42,7 @@ module Security ...@@ -42,6 +42,7 @@ module Security
copy_scanners_to_target(source) copy_scanners_to_target(source)
copy_identifiers_to_target(source) copy_identifiers_to_target(source)
copy_occurrences_to_buffer(source) copy_occurrences_to_buffer(source)
copy_scanned_resources_to_target(source)
end end
copy_occurrences_to_target copy_occurrences_to_target
...@@ -65,6 +66,10 @@ module Security ...@@ -65,6 +66,10 @@ module Security
@occurrences.concat(source.occurrences) @occurrences.concat(source.occurrences)
end end
def copy_scanned_resources_to_target(source_report)
@target_report.scanned_resources.concat(source_report.scanned_resources).uniq!
end
# this method mutates the passed seen_identifiers set # this method mutates the passed seen_identifiers set
def check_or_mark_seen_identifier!(identifier, location_fingerprint, seen_identifiers) def check_or_mark_seen_identifier!(identifier, location_fingerprint, seen_identifiers)
key = IdentifierKey.new(location_fingerprint, identifier.external_type, identifier.external_id) key = IdentifierKey.new(location_fingerprint, identifier.external_type, identifier.external_id)
......
...@@ -11,6 +11,8 @@ module Gitlab ...@@ -11,6 +11,8 @@ module Gitlab
report_data = parse_report(json_data) report_data = parse_report(json_data)
raise SecurityReportParserError, "Invalid report format" unless report_data.is_a?(Hash) raise SecurityReportParserError, "Invalid report format" unless report_data.is_a?(Hash)
report.scanned_resources = report_data.dig('scan', 'scanned_resources') || []
collate_remediations(report_data).each do |vulnerability| collate_remediations(report_data).each do |vulnerability|
create_vulnerability(report, vulnerability, report_data["version"]) create_vulnerability(report, vulnerability, report_data["version"])
end end
......
...@@ -14,6 +14,7 @@ module Gitlab ...@@ -14,6 +14,7 @@ module Gitlab
attr_reader :scanners attr_reader :scanners
attr_reader :identifiers attr_reader :identifiers
attr_accessor :scanned_resources
attr_accessor :error attr_accessor :error
def initialize(type, commit_sha, created_at) def initialize(type, commit_sha, created_at)
...@@ -23,6 +24,7 @@ module Gitlab ...@@ -23,6 +24,7 @@ module Gitlab
@occurrences = [] @occurrences = []
@scanners = {} @scanners = {}
@identifiers = {} @identifiers = {}
@scanned_resources = []
end end
def errored? def errored?
......
...@@ -5,6 +5,7 @@ FactoryBot.define do ...@@ -5,6 +5,7 @@ FactoryBot.define do
type { :sast } type { :sast }
commit_sha { Digest::SHA1.hexdigest(SecureRandom.hex) } commit_sha { Digest::SHA1.hexdigest(SecureRandom.hex) }
created_at { 2.weeks.ago } created_at { 2.weeks.ago }
scanned_resources { [] }
transient do transient do
occurrences { [] } occurrences { [] }
......
...@@ -16,15 +16,16 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Dast do ...@@ -16,15 +16,16 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Dast do
:occurrence_count, :occurrence_count,
:identifier_count, :identifier_count,
:scanner_count, :scanner_count,
:scanned_resources_count,
:last_occurrence_hostname, :last_occurrence_hostname,
:last_occurrence_method_name, :last_occurrence_method_name,
:last_occurrence_path, :last_occurrence_path,
:last_occurrence_severity, :last_occurrence_severity,
:last_occurrence_confidence) do :last_occurrence_confidence) do
:dast | 24 | 15 | 1 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low' :dast | 24 | 15 | 1 | 6 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low'
:dast_multiple_sites | 25 | 15 | 1 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low' :dast_multiple_sites | 25 | 15 | 1 | 0 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low'
:dast_deprecated_no_spider | 2 | 3 | 1 | 'http://bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io' | 'GET' | '/' | 'low' | 'medium' :dast_deprecated_no_spider | 2 | 3 | 1 | 0 | 'http://bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io' | 'GET' | '/' | 'low' | 'medium'
:dast_deprecated_no_common_fields | 24 | 15 | 1 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low' :dast_deprecated_no_common_fields | 24 | 15 | 1 | 0 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low'
end end
with_them do with_them do
...@@ -36,10 +37,11 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Dast do ...@@ -36,10 +37,11 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Dast do
end end
end end
it 'parses all identifiers and occurrences' do it 'parses all identifiers, occurrences and scanned resources' do
expect(report.occurrences.length).to eq(occurrence_count) expect(report.occurrences.length).to eq(occurrence_count)
expect(report.identifiers.length).to eq(identifier_count) expect(report.identifiers.length).to eq(identifier_count)
expect(report.scanners.length).to eq(scanner_count) expect(report.scanners.length).to eq(scanner_count)
expect(report.scanned_resources.length).to eq(scanned_resources_count)
end end
it 'generates expected location' do it 'generates expected location' do
......
...@@ -87,7 +87,8 @@ RSpec.describe Security::MergeReportsService, '#execute' do ...@@ -87,7 +87,8 @@ RSpec.describe Security::MergeReportsService, '#execute' do
:ci_reports_security_report, :ci_reports_security_report,
scanners: [scanner_1, scanner_2], scanners: [scanner_1, scanner_2],
occurrences: report_1_occurrences, occurrences: report_1_occurrences,
identifiers: report_1_occurrences.flat_map(&:identifiers) identifiers: report_1_occurrences.flat_map(&:identifiers),
scanned_resources: ['example.com', 'example.com/1', 'example.com/2']
) )
end end
...@@ -98,7 +99,8 @@ RSpec.describe Security::MergeReportsService, '#execute' do ...@@ -98,7 +99,8 @@ RSpec.describe Security::MergeReportsService, '#execute' do
:ci_reports_security_report, :ci_reports_security_report,
scanners: [scanner_2], scanners: [scanner_2],
occurrences: report_2_occurrences, occurrences: report_2_occurrences,
identifiers: occurrence_id_2_loc_2.identifiers identifiers: occurrence_id_2_loc_2.identifiers,
scanned_resources: ['example.com', 'example.com/3']
) )
end end
...@@ -148,6 +150,17 @@ RSpec.describe Security::MergeReportsService, '#execute' do ...@@ -148,6 +150,17 @@ RSpec.describe Security::MergeReportsService, '#execute' do
) )
end end
it 'deduplicates scanned resources' do
expect(subject.scanned_resources).to(
eq([
'example.com',
'example.com/1',
'example.com/2',
'example.com/3'
])
)
end
context 'ordering reports for dependency scanning analyzers' do context 'ordering reports for dependency scanning analyzers' do
let(:gemnasium_scanner) { build(:ci_reports_security_scanner, external_id: 'gemnasium', name: 'gemnasium') } let(:gemnasium_scanner) { build(:ci_reports_security_scanner, external_id: 'gemnasium', name: 'gemnasium') }
let(:retire_js_scaner) { build(:ci_reports_security_scanner, external_id: 'retire.js', name: 'Retire.js') } let(:retire_js_scaner) { build(:ci_reports_security_scanner, external_id: 'retire.js', name: 'Retire.js') }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment