Commit e2a66be7 authored by Michał Zając's avatar Michał Zając

Allow storing detection_method in vulnerability findings

* Add detection_method to vulnerabilities_occurrences table
* Add ::Enums::Vulnerability
* Add detection_method enum to Vulnerabilities::Finding
* Update specs and factories

Changelog: added
parent aa537725
...@@ -29,6 +29,14 @@ module Enums ...@@ -29,6 +29,14 @@ module Enums
critical: 7 critical: 7
}.with_indifferent_access.freeze }.with_indifferent_access.freeze
DETECTION_METHODS = {
gitlab_security_report: 0,
external_security_report: 1,
bug_bounty: 2,
code_review: 3,
security_audit: 4
}.with_indifferent_access.freeze
def self.confidence_levels def self.confidence_levels
CONFIDENCE_LEVELS CONFIDENCE_LEVELS
end end
...@@ -40,6 +48,10 @@ module Enums ...@@ -40,6 +48,10 @@ module Enums
def self.severity_levels def self.severity_levels
SEVERITY_LEVELS SEVERITY_LEVELS
end end
def self.detection_methods
DETECTION_METHODS
end
end end
end end
......
# frozen_string_literal: true
class AddDetectionMethodToVulnerabilitiesFinding < ActiveRecord::Migration[6.1]
include Gitlab::Database::MigrationHelpers
def up
with_lock_retries do
add_column :vulnerability_occurrences, :detection_method, :smallint, null: false, default: 0
end
end
def down
with_lock_retries do
remove_column :vulnerability_occurrences, :detection_method
end
end
end
dedf2f8d76f4131f34d61fe2c730f8b092ca46f8b35b08a76b7bc096c140aad1
\ No newline at end of file
...@@ -19272,6 +19272,7 @@ CREATE TABLE vulnerability_occurrences ( ...@@ -19272,6 +19272,7 @@ CREATE TABLE vulnerability_occurrences (
solution text, solution text,
cve text, cve text,
location jsonb, location jsonb,
detection_method smallint DEFAULT 0 NOT NULL,
CONSTRAINT check_4a3a60f2ba CHECK ((char_length(solution) <= 7000)), CONSTRAINT check_4a3a60f2ba CHECK ((char_length(solution) <= 7000)),
CONSTRAINT check_ade261da6b CHECK ((char_length(description) <= 15000)), CONSTRAINT check_ade261da6b CHECK ((char_length(description) <= 15000)),
CONSTRAINT check_df6dd20219 CHECK ((char_length(message) <= 3000)), CONSTRAINT check_df6dd20219 CHECK ((char_length(message) <= 3000)),
...@@ -47,6 +47,7 @@ module Vulnerabilities ...@@ -47,6 +47,7 @@ module Vulnerabilities
enum confidence: ::Enums::Vulnerability.confidence_levels, _prefix: :confidence enum confidence: ::Enums::Vulnerability.confidence_levels, _prefix: :confidence
enum report_type: ::Enums::Vulnerability.report_types enum report_type: ::Enums::Vulnerability.report_types
enum severity: ::Enums::Vulnerability.severity_levels, _prefix: :severity enum severity: ::Enums::Vulnerability.severity_levels, _prefix: :severity
enum detection_method: ::Enums::Vulnerability.detection_methods
validates :scanner, presence: true validates :scanner, presence: true
validates :project, presence: true validates :project, presence: true
...@@ -62,6 +63,7 @@ module Vulnerabilities ...@@ -62,6 +63,7 @@ module Vulnerabilities
validates :report_type, presence: true validates :report_type, presence: true
validates :severity, presence: true validates :severity, presence: true
validates :confidence, presence: true validates :confidence, presence: true
validates :detection_method, presence: true
validates :metadata_version, presence: true validates :metadata_version, presence: true
validates :raw_metadata, presence: true validates :raw_metadata, presence: true
......
...@@ -57,6 +57,7 @@ FactoryBot.define do ...@@ -57,6 +57,7 @@ FactoryBot.define do
end end
severity { :high } severity { :high }
confidence { :medium } confidence { :medium }
detection_method { :gitlab_security_report }
scanner factory: :vulnerabilities_scanner scanner factory: :vulnerabilities_scanner
metadata_version { 'sast:1.0' } metadata_version { 'sast:1.0' }
......
...@@ -6,6 +6,7 @@ RSpec.describe Vulnerabilities::Finding do ...@@ -6,6 +6,7 @@ RSpec.describe Vulnerabilities::Finding do
it { is_expected.to define_enum_for(:confidence) } it { is_expected.to define_enum_for(:confidence) }
it { is_expected.to define_enum_for(:report_type) } it { is_expected.to define_enum_for(:report_type) }
it { is_expected.to define_enum_for(:severity) } it { is_expected.to define_enum_for(:severity) }
it { is_expected.to define_enum_for(:detection_method) }
where(vulnerability_finding_signatures_enabled: [true, false]) where(vulnerability_finding_signatures_enabled: [true, false])
with_them do with_them do
...@@ -44,6 +45,7 @@ RSpec.describe Vulnerabilities::Finding do ...@@ -44,6 +45,7 @@ RSpec.describe Vulnerabilities::Finding do
it { is_expected.to validate_presence_of(:raw_metadata) } it { is_expected.to validate_presence_of(:raw_metadata) }
it { is_expected.to validate_presence_of(:severity) } it { is_expected.to validate_presence_of(:severity) }
it { is_expected.to validate_presence_of(:confidence) } it { is_expected.to validate_presence_of(:confidence) }
it { is_expected.to validate_presence_of(:detection_method) }
it { is_expected.to validate_length_of(:description).is_at_most(15000) } it { is_expected.to validate_length_of(:description).is_at_most(15000) }
it { is_expected.to validate_length_of(:message).is_at_most(3000) } it { is_expected.to validate_length_of(:message).is_at_most(3000) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment