Merge branch 'sk/337926-update-cis-parser' into 'master'

Add cluster_image_scanning CI parser to add cluster_id to location

See merge request gitlab-org/gitlab!71794

ee/lib/ee/gitlab/ci/parsers.rb

@@ -12,7 +12,7 @@ module EE
                 license_scanning: ::Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning,
                 dependency_scanning: ::Gitlab::Ci::Parsers::Security::DependencyScanning,
                 container_scanning: ::Gitlab::Ci::Parsers::Security::ContainerScanning,
-                cluster_image_scanning: ::Gitlab::Ci::Parsers::Security::ContainerScanning,
+                cluster_image_scanning: ::Gitlab::Ci::Parsers::Security::ClusterImageScanning,
                 dast: ::Gitlab::Ci::Parsers::Security::Dast,
                 api_fuzzing: ::Gitlab::Ci::Parsers::Security::Dast,
                 coverage_fuzzing: ::Gitlab::Ci::Parsers::Security::CoverageFuzzing,

ee/lib/gitlab/ci/parsers/security/cluster_image_scanning.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module Ci
+    module Parsers
+      module Security
+        class ClusterImageScanning < Common
+          private
+
+          def create_location(location_data)
+            ::Gitlab::Ci::Reports::Security::Locations::ClusterImageScanning.new(
+              image: location_data['image'],
+              cluster_id: location_data['cluster_id'],
+              operating_system: location_data['operating_system'],
+              package_name: location_data.dig('dependency', 'package', 'name'),
+              package_version: location_data.dig('dependency', 'version'))
+          end
+        end
+      end
+    end
+  end
+end

ee/lib/gitlab/ci/reports/security/locations/cluster_image_scanning.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module Ci
+    module Reports
+      module Security
+        module Locations
+          class ClusterImageScanning < ContainerScanning
+            attr_reader :cluster_id
+
+            def initialize(image:, operating_system:, package_name: nil, package_version: nil, cluster_id: nil)
+              super(
+                image: image,
+                operating_system: operating_system,
+                package_name: package_name,
+                package_version: package_version
+              )
+              @cluster_id = cluster_id
+            end
+          end
+        end
+      end
+    end
+  end
+end

ee/spec/fixtures/security_reports/master/gl-cluster-image-scanning-report.json

@@ -21,7 +21,8 @@
           "version": "2.24-11+deb9u3"
         },
         "operating_system": "debian:9",
-        "image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
+        "image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e",
+        "cluster_id": "1"
       },
       "identifiers": [
         {
@@ -57,7 +58,8 @@
           "version": "2.24-11+deb9u3"
         },
         "operating_system": "debian:9",
-        "image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
+        "image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e",
+        "cluster_id": "1"
       },
       "identifiers": [
         {

ee/spec/lib/gitlab/ci/parsers/security/cluster_image_scanning_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Ci::Parsers::Security::ClusterImageScanning do
+  let(:project) { artifact.project }
+  let(:pipeline) { artifact.job.pipeline }
+  let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago) }
+
+  before do
+    artifact.each_blob { |blob| described_class.parse!(blob, report) }
+  end
+
+  describe '#parse!' do
+    let(:artifact) { create(:ee_ci_job_artifact, :cluster_image_scanning) }
+    let(:image) { 'registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e' }
+
+    it "parses all identifiers and findings for unapproved vulnerabilities" do
+      expect(report.findings.length).to eq(2)
+      expect(report.identifiers.length).to eq(2)
+      expect(report.scanners).to include("starboard")
+      expect(report.scanners.length).to eq(1)
+    end
+
+    it 'generates expected location' do
+      location = report.findings.first.location
+
+      expect(location).to be_a(::Gitlab::Ci::Reports::Security::Locations::ClusterImageScanning)
+      expect(location).to have_attributes(
+        image: image,
+        cluster_id: '1',
+        operating_system: 'debian:9',
+        package_name: 'glibc',
+        package_version: '2.24-11+deb9u3'
+      )
+    end
+
+    it "generates expected metadata_version" do
+      expect(report.findings.first.metadata_version).to eq('2.3')
+    end
+
+    it "adds report image's name to raw_metadata" do
+      expect(report.findings.first.location).to be_a(::Gitlab::Ci::Reports::Security::Locations::ClusterImageScanning)
+      expect(report.findings.first.location.image).to eq(image)
+    end
+  end
+end

ee/spec/lib/gitlab/ci/reports/security/locations/cluster_image_scanning_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Ci::Reports::Security::Locations::ClusterImageScanning do
+  let(:params) do
+    {
+      image: 'registry.gitlab.com/my/project:latest',
+      cluster_id: '1',
+      operating_system: 'debian:9',
+      package_name: 'glibc',
+      package_version: '1.2.3'
+    }
+  end
+
+  let(:mandatory_params) { %i[image operating_system] }
+  let(:expected_fingerprint) { Digest::SHA1.hexdigest('registry.gitlab.com/my/project:glibc') }
+  let(:expected_fingerprint_path) { 'registry.gitlab.com/my/project:glibc' }
+
+  it_behaves_like 'vulnerability location'
+end