Commit d7f2a35c authored by Mehmet Emin INAC's avatar Mehmet Emin INAC

Limit the number of identifiers we create

We are limiting the number of identifiers we create per finding as 20.
This number is not a hard limit which means we are not raising an error
in case if there are findings with more than 20 identifiers.
We are just taking the first 20 identifiers and ignoring the rest if
there are more than that.
parent 2076e547
......@@ -11,6 +11,7 @@ module Vulnerabilities
self.table_name = "vulnerability_occurrences"
FINDINGS_PER_PAGE = 20
MAX_NUMBER_OF_IDENTIFIERS = 20
paginates_per FINDINGS_PER_PAGE
......
......@@ -54,7 +54,9 @@ module Security
update_vulnerability_finding(vulnerability_finding, vulnerability_params)
finding.identifiers.map do |identifier|
# The maximum number of identifiers is not used in validation
# we just want to ignore the rest if a finding has more than that.
finding.identifiers.take(Vulnerabilities::Finding::MAX_NUMBER_OF_IDENTIFIERS).map do |identifier| # rubocop: disable CodeReuse/ActiveRecord
create_or_update_vulnerability_identifier_object(vulnerability_finding, identifier)
end
......
......@@ -12,6 +12,16 @@ FactoryBot.define do
end
end
trait :with_exceeding_identifiers do
file_type { :sast }
file_format { :raw }
after(:build) do |artifact, _|
artifact.file = fixture_file_upload(
Rails.root.join('ee/spec/fixtures/security_reports/master/gl-sast-report-with-exceeding-identifiers.json'), 'application/json')
end
end
trait :secret_detection do
file_type { :secret_detection }
file_format { :raw }
......
{
"version": "1.2",
"vulnerabilities": [
{
"category": "sast",
"message": "Probable insecure usage of temp file/directory.",
"cve": "python/hardcoded/hardcoded-tmp.py:52865813c884a507be1f152d654245af34aba8a391626d01f1ab6d3f52ec8779:B108",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-tmp.py",
"start_line": 1,
"end_line": 1
},
"identifiers": [
{
"type": "bandit_test_id_1",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_2",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_3",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_4",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_5",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_6",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_7",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_8",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_9",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_10",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_11",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_12",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_13",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_14",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_15",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_16",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_17",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_18",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_19",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_20",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
},
{
"type": "bandit_test_id_21",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
}
],
"priority": "Medium",
"file": "python/hardcoded/hardcoded-tmp.py",
"line": 1,
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html",
"tool": "bandit"
}
],
"remediations": [],
"scan": {
"scanner": {
"id": "gosec",
"name": "Gosec",
"url": "https://github.com/securego/gosec",
"vendor": {
"name": "GitLab"
},
"version": "2.3.0"
},
"type": "sast",
"status": "success",
"start_time": "placeholder-value",
"end_time": "placeholder-value"
}
}
......@@ -4,7 +4,8 @@ require 'spec_helper'
RSpec.describe Security::StoreReportService, '#execute' do
let_it_be(:user) { create(:user) }
let(:artifact) { create(:ee_ci_job_artifact, report_type) }
let(:artifact) { create(:ee_ci_job_artifact, trait) }
let(:report_type) { artifact.file_type }
let(:project) { artifact.project }
let(:pipeline) { artifact.job.pipeline }
let(:report) { pipeline.security_reports.get_report(report_type.to_s, artifact) }
......@@ -23,8 +24,9 @@ RSpec.describe Security::StoreReportService, '#execute' do
using RSpec::Parameterized::TableSyntax
where(:case_name, :report_type, :scanners, :identifiers, :findings, :finding_identifiers, :finding_pipelines) do
where(:case_name, :trait, :scanners, :identifiers, :findings, :finding_identifiers, :finding_pipelines) do
'with SAST report' | :sast | 3 | 17 | 33 | 39 | 33
'with exceeding identifiers' | :with_exceeding_identifiers | 1 | 20 | 1 | 20 | 1
'with Dependency Scanning report' | :dependency_scanning | 2 | 7 | 4 | 7 | 4
'with Container Scanning report' | :container_scanning | 1 | 8 | 8 | 8 | 8
end
......@@ -85,7 +87,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
let(:new_build) { create(:ci_build, pipeline: new_pipeline) }
let(:new_pipeline) { create(:ci_pipeline, project: project) }
let(:new_report) { new_pipeline.security_reports.get_report(report_type.to_s, artifact) }
let(:report_type) { :sast }
let(:trait) { :sast }
let!(:finding) do
create(:vulnerabilities_finding,
......@@ -180,7 +182,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
context 'with existing data from same pipeline' do
let!(:finding) { create(:vulnerabilities_finding, project: project, pipelines: [pipeline]) }
let(:report_type) { :sast }
let(:trait) { :sast }
it 'skips report' do
expect(subject).to eq({
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment