Add parsing details from security reports

This change adds parsing new field from security report and saving it into newly created column in vulnerability findings.

Add parsing details from security reports
This change adds parsing new field from security report and saving it into newly created column in vulnerability findings.
cededed8 · Alan (Maciej) Paruszewski · Bob Van Landuyt · 90f18823 · cededed8 · cededed8
Commit cededed8 authored Dec 07, 2020 by Alan (Maciej) Paruszewski Committed by Bob Van Landuyt Dec 07, 2020
7 changed files
--- a/app/validators/json_schemas/vulnerability_finding_details.json
+++ b/app/validators/json_schemas/vulnerability_finding_details.json
 {
  "type": "object",
  "description": "The schema for vulnerability finding details",
-  "additionalProperties": false
+  "additionalProperties": false,
+  "patternProperties": {
+    "^.*$": {
+      "allOf": [
+        { "$ref": "#/definitions/named_field" },
+        { "$ref": "#/definitions/type_list" }
+      ]
+    }
+  },
+  "definitions": {
+    "type_list": {
+      "oneOf": [
+        { "$ref": "#/definitions/named_list" },
+        { "$ref": "#/definitions/list" },
+        { "$ref": "#/definitions/table" },
+
+        { "$ref": "#/definitions/text" },
+        { "$ref": "#/definitions/url" },
+        { "$ref": "#/definitions/code" },
+        { "$ref": "#/definitions/int" },
+
+        { "$ref": "#/definitions/commit" },
+        { "$ref": "#/definitions/file_location" },
+        { "$ref": "#/definitions/module_location" }
+      ]
+    },
+    "lang_text": {
+      "type": "object",
+      "required": [ "value", "lang" ],
+      "properties": {
+        "lang": { "type": "string" },
+        "value": { "type": "string" }
+      }
+    },
+    "lang_text_list": {
+      "type": "array",
+      "items": { "$ref": "#/definitions/lang_text" }
+    },
+    "named_field": {
+      "type": "object",
+      "required": [ "name" ],
+      "properties": {
+        "name": { "$ref": "#/definitions/lang_text_list" },
+        "description": { "$ref": "#/definitions/lang_text_list" }
+      }
+    },
+    "named_list": {
+      "type": "object",
+      "description": "An object with named and typed fields",
+      "required": [ "type", "items" ],
+      "properties": {
+        "type": { "const": "named-list" },
+        "items": {
+          "type": "object",
+          "patternProperties": {
+            "^.*$": {
+              "allOf": [
+                { "$ref": "#/definitions/named_field" },
+                { "$ref": "#/definitions/type_list" }
+              ]
+            }
+          }
+        }
+      }
+    },
+    "list": {
+      "type": "object",
+      "description": "A list of typed fields",
+      "required": [ "type", "items" ],
+      "properties": {
+        "type": { "const": "list" },
+        "items": {
+          "type": "array",
+          "items": { "$ref": "#/definitions/type_list" }
+        }
+      }
+    },
+    "table": {
+      "type": "object",
+      "description": "A table of typed fields",
+      "required": [],
+      "properties": {
+        "type": { "const": "table" },
+        "items": {
+          "type": "object",
+          "properties": {
+            "header": {
+              "type": "array",
+              "items": {
+                "$ref": "#/definitions/type_list"
+              }
+            },
+            "rows": {
+              "type": "array",
+              "items": {
+                "type": "array",
+                "items": {
+                  "$ref": "#/definitions/type_list"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "text": {
+      "type": "object",
+      "description": "Raw text",
+      "required": [ "type", "value" ],
+      "properties": {
+        "type": { "const": "text" },
+        "value": { "$ref": "#/definitions/lang_text_list" }
+      }
+    },
+    "url": {
+      "type": "object",
+      "description": "A single URL",
+      "required": [ "type", "href" ],
+      "properties": {
+        "type": { "const": "url" },
+        "text": { "$ref": "#/definitions/lang_text_list" },
+        "href": { "type": "string" }
+      }
+    },
+    "code": {
+      "type": "object",
+      "description": "A codeblock",
+      "required": [ "type", "value" ],
+      "properties": {
+        "type": { "const": "code" },
+        "value": { "type": "string" },
+        "lang": { "type": "string" }
+      }
+    },
+    "int": {
+      "type": "object",
+      "description": "An integer",
+      "required": [ "type", "value" ],
+      "properties": {
+        "type": { "const": "int" },
+        "value": { "type": "integer" },
+        "format": {
+          "type": "string",
+          "enum": [ "default", "hex" ]
+        }
+      }
+    },
+    "commit": {
+      "type": "object",
+      "description": "A specific commit within the project",
+      "required": [ "type", "value" ],
+      "properties": {
+        "type": { "const": "commit" },
+        "value": { "type": "string", "description": "The commit SHA" }
+      }
+    },
+    "file_location": {
+      "type": "object",
+      "description": "A location within a file in the project",
+      "required": [ "type", "file_name", "line_start" ],
+      "properties": {
+        "type": { "const": "file-location" },
+        "file_name": { "type": "string" },
+        "line_start": { "type": "integer" },
+        "line_end": { "type": "integer" }
+      }
+    },
+    "module_location": {
+      "type": "object",
+      "description": "A location within a binary module of the form module+relative_offset",
+      "required": [ "type", "module_name", "offset" ],
+      "properties": {
+        "type": { "const": "module-location" },
+        "module_name": { "type": "string" },
+        "offset": { "type": "integer" }
+      }
+    }
+  }
 }
--- a/ee/changelogs/unreleased/263497-add-parsing-details-from-vulnerability-findings.yml
+++ b/ee/changelogs/unreleased/263497-add-parsing-details-from-vulnerability-findings.yml
+---
+title: Add parsing details from security reports
+merge_request: 49107
+author:
+type: added
--- a/ee/lib/gitlab/ci/parsers/security/common.rb
+++ b/ee/lib/gitlab/ci/parsers/security/common.rb
@@ -74,7 +74,8 @@ module Gitlab
                links: links,
                remediations: remediations,
                raw_metadata: data.to_json,
-                metadata_version: version))
+                metadata_version: version,
+                details: data['details'] || {}))
          end

          def create_scan(report, scan_data)

--- a/ee/lib/gitlab/ci/reports/security/finding.rb
+++ b/ee/lib/gitlab/ci/reports/security/finding.rb
@@ -23,10 +23,11 @@ module Gitlab
          attr_reader :severity
          attr_reader :uuid
          attr_reader :remediations
+          attr_reader :details

          delegate :file_path, :start_line, :end_line, to: :location

-          def initialize(compare_key:, identifiers:, links: [], remediations: [], location:, metadata_version:, name:, raw_metadata:, report_type:, scanner:, scan:, uuid:, confidence: nil, severity: nil) # rubocop:disable Metrics/ParameterLists
+          def initialize(compare_key:, identifiers:, links: [], remediations: [], location:, metadata_version:, name:, raw_metadata:, report_type:, scanner:, scan:, uuid:, confidence: nil, severity: nil, details: {}) # rubocop:disable Metrics/ParameterLists
            @compare_key = compare_key
            @confidence = confidence
            @identifiers = identifiers
@@ -41,6 +42,7 @@ module Gitlab
            @severity = severity
            @uuid = uuid
            @remediations = remediations
+            @details = details

            @project_fingerprint = generate_project_fingerprint
          end
@@ -61,6 +63,7 @@ module Gitlab
              scan
              severity
              uuid
+              details
            ].each_with_object({}) do |key, hash|
              hash[key] = public_send(key) # rubocop:disable GitlabSecurity/PublicSend
            end

--- a/ee/spec/fixtures/security_reports/master/gl-common-scanning-report.json
+++ b/ee/spec/fixtures/security_reports/master/gl-common-scanning-report.json
@@ -18,7 +18,25 @@
                {
                    "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1020"
                }
-            ]
+            ],
+            "details": {
+                "commit": {
+                    "name": [
+                        {
+                            "lang": "en",
+                            "value": "The Commit"
+                        }
+                    ],
+                    "description": [
+                        {
+                            "lang": "en",
+                            "value": "Commit where the vulnerability was identified"
+                        }
+                    ],
+                    "type": "commit",
+                    "value": "41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19"
+                }
+            }
        },
        {
            "id": "bb2fbeb1b71ea360ce3f86f001d4e84823c3ffe1a1f7d41ba7466b14cfa953d3",

--- a/ee/spec/lib/gitlab/ci/parsers/security/common_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/common_spec.rb
@@ -65,6 +65,26 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
      end
    end

+    context 'parsing finding.details' do
+      let(:artifact) { build(:ee_ci_job_artifact, :common_security_report) }
+
+      context 'when details are provided' do
+        it 'sets details from the report' do
+          vulnerability = report.findings.find { |x| x.compare_key == 'CVE-1020' }
+          expected_details = Gitlab::Json.parse(vulnerability.raw_metadata)['details']
+
+          expect(vulnerability.details).to eq(expected_details)
+        end
+      end
+
+      context 'when details are not provided' do
+        it 'sets empty hash' do
+          vulnerability = report.findings.find { |x| x.compare_key == 'CVE-1030' }
+          expect(vulnerability.details).to eq({})
+        end
+      end
+    end
+
    context 'parsing remediations' do
      let(:expected_remediation) { create(:ci_reports_security_remediation, diff: '') }


--- a/ee/spec/lib/gitlab/ci/reports/security/finding_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/finding_spec.rb
@@ -30,7 +30,25 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
        scanner: scanner,
        scan: nil,
        severity: :high,
-        uuid: 'cadf8cf0a8228fa92a0f4897a0314083bb38'
+        uuid: 'cadf8cf0a8228fa92a0f4897a0314083bb38',
+        details: {
+          'commit' => {
+            'name' => [
+              {
+                'lang' => 'en',
+                'value' => 'The Commit'
+              }
+            ],
+            'description' => [
+              {
+                'lang' => 'en',
+                'value' => 'Commit where the vulnerability was identified'
+              }
+            ],
+            'type' => 'commit',
+            'value' => '41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19'
+          }
+        }
      }
    end

@@ -52,7 +70,25 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
          report_type: :sast,
          scanner: scanner,
          severity: :high,
-          uuid: 'cadf8cf0a8228fa92a0f4897a0314083bb38'
+          uuid: 'cadf8cf0a8228fa92a0f4897a0314083bb38',
+          details: {
+            'commit' => {
+              'name' => [
+                {
+                  'lang' => 'en',
+                  'value' => 'The Commit'
+                }
+              ],
+              'description' => [
+                {
+                  'lang' => 'en',
+                  'value' => 'Commit where the vulnerability was identified'
+                }
+              ],
+              'type' => 'commit',
+              'value' => '41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19'
+            }
+          }
        )
      end
    end
@@ -100,7 +136,8 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
        scanner: occurrence.scanner,
        scan: occurrence.scan,
        severity: occurrence.severity,
-        uuid: occurrence.uuid
+        uuid: occurrence.uuid,
+        details: occurrence.details
      })
    end
  end