Commit 8611fb40 authored by Mehmet Emin INAC's avatar Mehmet Emin INAC

Return nil if the uuid name components are missing

Instead of calculating the UUID for invalid findings, we should return
`nil` and log a warning message instead.
parent 4af1ef00
...@@ -171,6 +171,7 @@ module Gitlab ...@@ -171,6 +171,7 @@ module Gitlab
if uuid_v5_name_components.values.any?(&:nil?) if uuid_v5_name_components.values.any?(&:nil?)
Gitlab::AppLogger.warn(message: "One or more UUID name components are nil", components: uuid_v5_name_components) Gitlab::AppLogger.warn(message: "One or more UUID name components are nil", components: uuid_v5_name_components)
return
end end
name = uuid_v5_name_components.values.join('-') name = uuid_v5_name_components.values.join('-')
......
...@@ -13,7 +13,13 @@ ...@@ -13,7 +13,13 @@
"name": "Gemnasium" "name": "Gemnasium"
}, },
"location": {}, "location": {},
"identifiers": [], "identifiers": [
{
"type": "GitLab",
"name": "Foo vulnerability",
"value": "foo"
}
],
"links": [ "links": [
{ {
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1020" "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1020"
...@@ -52,7 +58,13 @@ ...@@ -52,7 +58,13 @@
"name": "Gemnasium" "name": "Gemnasium"
}, },
"location": {}, "location": {},
"identifiers": [], "identifiers": [
{
"type": "GitLab",
"name": "Bar vulnerability",
"value": "bar"
}
],
"links": [ "links": [
{ {
"name": "CVE-1030", "name": "CVE-1030",
......
...@@ -13,12 +13,11 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do ...@@ -13,12 +13,11 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
before do before do
allow(parser).to receive(:create_location).and_return(location) allow(parser).to receive(:create_location).and_return(location)
artifact.each_blob do |blob|
parser.parse!(blob, report) artifact.each_blob { |blob| parser.parse!(blob, report) }
end
end end
context 'parsing finding.name' do describe 'parsing finding.name' do
let(:artifact) { build(:ee_ci_job_artifact, :common_security_report_with_blank_names) } let(:artifact) { build(:ee_ci_job_artifact, :common_security_report_with_blank_names) }
context 'when message is provided' do context 'when message is provided' do
...@@ -65,9 +64,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do ...@@ -65,9 +64,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
end end
end end
context 'parsing finding.details' do describe 'parsing finding.details' do
let(:artifact) { build(:ee_ci_job_artifact, :common_security_report) }
context 'when details are provided' do context 'when details are provided' do
it 'sets details from the report' do it 'sets details from the report' do
vulnerability = report.findings.find { |x| x.compare_key == 'CVE-1020' } vulnerability = report.findings.find { |x| x.compare_key == 'CVE-1020' }
...@@ -85,7 +82,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do ...@@ -85,7 +82,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
end end
end end
context 'parsing remediations' do describe 'parsing remediations' do
let(:expected_remediation) { create(:ci_reports_security_remediation, diff: '') } let(:expected_remediation) { create(:ci_reports_security_remediation, diff: '') }
it 'finds remediation with same cve' do it 'finds remediation with same cve' do
...@@ -122,7 +119,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do ...@@ -122,7 +119,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
end end
end end
context 'parsing scanners' do describe 'parsing scanners' do
subject(:scanner) { report.findings.first.scanner } subject(:scanner) { report.findings.first.scanner }
context 'when vendor is not missing in scanner' do context 'when vendor is not missing in scanner' do
...@@ -132,7 +129,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do ...@@ -132,7 +129,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
end end
end end
context 'parsing scan' do describe 'parsing scan' do
it 'returns scan object for each finding' do it 'returns scan object for each finding' do
scans = report.findings.map(&:scan) scans = report.findings.map(&:scan)
...@@ -153,7 +150,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do ...@@ -153,7 +150,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
end end
end end
context 'parsing links' do describe 'parsing links' do
it 'returns links object for each finding', :aggregate_failures do it 'returns links object for each finding', :aggregate_failures do
links = report.findings.flat_map(&:links) links = report.findings.flat_map(&:links)
...@@ -166,15 +163,13 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do ...@@ -166,15 +163,13 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
describe 'setting the uuid' do describe 'setting the uuid' do
let(:finding_uuids) { report.findings.map(&:uuid) } let(:finding_uuids) { report.findings.map(&:uuid) }
let(:expected_uuids) do let(:uuid_1_components) { "dependency_scanning-4ff8184cd18485b6e85d5b101e341b12eacd1b3b-33dc9f32c77dde16d39c69d3f78f27ca3114a7c5-#{pipeline.project_id}" }
[ let(:uuid_2_components) { "dependency_scanning-d55f9e66e79882ae63af9fd55cc822ab75307e31-33dc9f32c77dde16d39c69d3f78f27ca3114a7c5-#{pipeline.project_id}" }
Gitlab::Vulnerabilities::CalculateFindingUUID.call("dependency_scanning--33dc9f32c77dde16d39c69d3f78f27ca3114a7c5-#{pipeline.project_id}"), let(:uuid_1) { Gitlab::Vulnerabilities::CalculateFindingUUID.call(uuid_1_components) }
Gitlab::Vulnerabilities::CalculateFindingUUID.call("dependency_scanning--33dc9f32c77dde16d39c69d3f78f27ca3114a7c5-#{pipeline.project_id}"), let(:uuid_2) { Gitlab::Vulnerabilities::CalculateFindingUUID.call(uuid_2_components) }
Gitlab::Vulnerabilities::CalculateFindingUUID.call("dependency_scanning--33dc9f32c77dde16d39c69d3f78f27ca3114a7c5-#{pipeline.project_id}") let(:expected_uuids) { [uuid_1, uuid_2, nil] }
]
end
it 'sets the UUIDv5 for findings' do it 'sets the UUIDv5 for findings', :aggregate_failures do
expect(finding_uuids).to match_array(expected_uuids) expect(finding_uuids).to match_array(expected_uuids)
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment