Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
ec339d87
Commit
ec339d87
authored
Jan 21, 2020
by
Cameron Swords
Committed by
Stan Hu
Jan 21, 2020
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Verify deprecated DAST report format
Added specific DAST report examples
parent
17517bc8
Changes
7
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
666 additions
and
89 deletions
+666
-89
ee/lib/gitlab/ci/parsers/security/dast.rb
ee/lib/gitlab/ci/parsers/security/dast.rb
+3
-38
ee/lib/gitlab/ci/parsers/security/formatters/dast.rb
ee/lib/gitlab/ci/parsers/security/formatters/dast.rb
+45
-7
ee/spec/factories/ci/job_artifacts.rb
ee/spec/factories/ci/job_artifacts.rb
+14
-2
ee/spec/fixtures/security_reports/deprecated/gl-dast-report-no-common-fields.json
...y_reports/deprecated/gl-dast-report-no-common-fields.json
+559
-0
ee/spec/fixtures/security_reports/deprecated/gl-dast-report-no-spider.json
...security_reports/deprecated/gl-dast-report-no-spider.json
+0
-0
ee/spec/lib/gitlab/ci/parsers/security/dast_spec.rb
ee/spec/lib/gitlab/ci/parsers/security/dast_spec.rb
+4
-3
ee/spec/lib/gitlab/ci/parsers/security/formatters/dast_spec.rb
...ec/lib/gitlab/ci/parsers/security/formatters/dast_spec.rb
+41
-39
No files found.
ee/lib/gitlab/ci/parsers/security/dast.rb
View file @
ec339d87
...
@@ -5,52 +5,17 @@ module Gitlab
...
@@ -5,52 +5,17 @@ module Gitlab
module
Parsers
module
Parsers
module
Security
module
Security
class
Dast
<
Common
class
Dast
<
Common
FORMAT_VERSION
=
'2.0'
.
freeze
protected
protected
def
parse_report
(
json_data
)
def
parse_report
(
json_data
)
report
=
super
report
=
super
format_report
(
report
)
return
Formatters
::
Dast
.
new
(
report
).
format
if
Formatters
::
Dast
.
satisfies?
(
report
)
end
private
def
format_report
(
data
)
report
{
'vulnerabilities'
=>
extract_vulnerabilities_from
(
Array
.
wrap
(
data
[
'site'
])),
'version'
=>
FORMAT_VERSION
}
end
end
# Log messages to be added here to track usage of legacy reports,
private
# parsing failures and any other scenarios: https://gitlab.com/gitlab-org/gitlab/issues/34668
def
extract_vulnerabilities_from
(
sites
=
[])
return
[]
if
sites
.
empty?
vulnerabilities
=
[]
sites
.
each
do
|
site
|
site_report
=
Hash
(
site
)
next
if
site_report
.
blank?
# If host is blank for legacy reports
host
=
site_report
[
'@name'
]
site_report
[
'alerts'
].
each
do
|
vulnerability
|
vulnerabilities
+=
flatten_vulnerabilities
(
vulnerability
,
host
)
end
end
vulnerabilities
end
def
flatten_vulnerabilities
(
vulnerability
,
host
)
vulnerability
[
'instances'
].
map
do
|
instance
|
Formatters
::
Dast
.
new
(
vulnerability
).
format
(
instance
,
host
)
end
end
def
create_location
(
location_data
)
def
create_location
(
location_data
)
::
Gitlab
::
Ci
::
Reports
::
Security
::
Locations
::
Dast
.
new
(
::
Gitlab
::
Ci
::
Reports
::
Security
::
Locations
::
Dast
.
new
(
...
...
ee/lib/gitlab/ci/parsers/security/formatters/dast.rb
View file @
ec339d87
...
@@ -6,11 +6,53 @@ module Gitlab
...
@@ -6,11 +6,53 @@ module Gitlab
module
Security
module
Security
module
Formatters
module
Formatters
class
Dast
class
Dast
def
initialize
(
vulnerability
)
FORMAT_VERSION
=
'2.0'
.
freeze
@vulnerability
=
vulnerability
def
initialize
(
report
)
@report
=
report
end
def
self
.
satisfies?
(
report
)
report
.
key?
(
'site'
)
&&
!
report
.
key?
(
'vulnerabilities'
)
end
end
def
format
(
instance
,
hostname
)
def
format
{
'vulnerabilities'
=>
extract_vulnerabilities_from
(
Array
.
wrap
(
@report
[
'site'
])),
'version'
=>
FORMAT_VERSION
}
end
private
# Log messages to be added here to track usage of legacy reports,
# parsing failures and any other scenarios: https://gitlab.com/gitlab-org/gitlab/issues/34668
def
extract_vulnerabilities_from
(
sites
=
[])
return
[]
if
sites
.
empty?
vulnerabilities
=
[]
sites
.
each
do
|
site
|
site_report
=
Hash
(
site
)
next
if
site_report
.
blank?
# If host is blank for legacy reports
host
=
site_report
[
'@name'
]
site_report
[
'alerts'
].
each
do
|
vulnerability
|
vulnerabilities
+=
flatten_vulnerabilities
(
vulnerability
,
host
)
end
end
vulnerabilities
end
def
flatten_vulnerabilities
(
vulnerability
,
host
)
vulnerability
[
'instances'
].
map
{
|
instance
|
format_vulnerability
(
vulnerability
,
instance
,
host
)
}
end
def
format_vulnerability
(
vulnerability
,
instance
,
hostname
)
{
{
'category'
=>
'dast'
,
'category'
=>
'dast'
,
'message'
=>
vulnerability
[
'name'
],
'message'
=>
vulnerability
[
'name'
],
...
@@ -50,10 +92,6 @@ module Gitlab
...
@@ -50,10 +92,6 @@ module Gitlab
}
}
end
end
private
attr_reader
:vulnerability
SEVERITY_MAPPING
=
%w{info low medium high}
.
freeze
SEVERITY_MAPPING
=
%w{info low medium high}
.
freeze
CONFIDENCE_MAPPING
=
%w{ignore low medium high confirmed}
.
freeze
CONFIDENCE_MAPPING
=
%w{ignore low medium high confirmed}
.
freeze
...
...
ee/spec/factories/ci/job_artifacts.rb
View file @
ec339d87
...
@@ -42,13 +42,25 @@ FactoryBot.define do
...
@@ -42,13 +42,25 @@ FactoryBot.define do
end
end
end
end
trait
:dast_deprecated
do
trait
:dast_deprecated
_no_spider
do
file_format
{
:raw
}
file_format
{
:raw
}
file_type
{
:dast
}
file_type
{
:dast
}
after
(
:build
)
do
|
artifact
,
_
|
after
(
:build
)
do
|
artifact
,
_
|
artifact
.
file
=
fixture_file_upload
(
artifact
.
file
=
fixture_file_upload
(
Rails
.
root
.
join
(
'ee/spec/fixtures/security_reports/deprecated/gl-dast-report.json'
),
'application/json'
)
Rails
.
root
.
join
(
'ee/spec/fixtures/security_reports/deprecated/gl-dast-report-no-spider.json'
),
'application/json'
)
end
end
trait
:dast_deprecated_no_common_fields
do
file_format
{
:raw
}
file_type
{
:dast
}
after
(
:build
)
do
|
artifact
,
_
|
artifact
.
file
=
fixture_file_upload
(
Rails
.
root
.
join
(
'ee/spec/fixtures/security_reports/deprecated/gl-dast-report-no-common-fields.json'
),
'application/json'
)
end
end
end
end
...
...
ee/spec/fixtures/security_reports/deprecated/gl-dast-report-no-common-fields.json
0 → 100644
View file @
ec339d87
This diff is collapsed.
Click to expand it.
ee/spec/fixtures/security_reports/deprecated/gl-dast-report.json
→
ee/spec/fixtures/security_reports/deprecated/gl-dast-report
-no-spider
.json
View file @
ec339d87
File moved
ee/spec/lib/gitlab/ci/parsers/security/dast_spec.rb
View file @
ec339d87
...
@@ -21,9 +21,10 @@ describe Gitlab::Ci::Parsers::Security::Dast do
...
@@ -21,9 +21,10 @@ describe Gitlab::Ci::Parsers::Security::Dast do
:last_occurrence_path
,
:last_occurrence_path
,
:last_occurrence_severity
,
:last_occurrence_severity
,
:last_occurrence_confidence
)
do
:last_occurrence_confidence
)
do
:dast
|
24
|
15
|
1
|
'http://goat:8080'
|
'GET'
|
'/WebGoat/plugins/bootstrap/css/bootstrap.min.css'
|
'info'
|
'low'
:dast
|
24
|
15
|
1
|
'http://goat:8080'
|
'GET'
|
'/WebGoat/plugins/bootstrap/css/bootstrap.min.css'
|
'info'
|
'low'
:dast_multiple_sites
|
25
|
15
|
1
|
'https://goat:8080'
|
'GET'
|
'/WebGoat/registration'
|
'high'
|
'medium'
:dast_multiple_sites
|
25
|
15
|
1
|
'http://goat:8080'
|
'GET'
|
'/WebGoat/plugins/bootstrap/css/bootstrap.min.css'
|
'info'
|
'low'
:dast_deprecated
|
2
|
3
|
1
|
'http://bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io'
|
'GET'
|
'/'
|
'low'
|
'medium'
:dast_deprecated_no_spider
|
2
|
3
|
1
|
'http://bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io'
|
'GET'
|
'/'
|
'low'
|
'medium'
:dast_deprecated_no_common_fields
|
24
|
15
|
1
|
'http://goat:8080'
|
'GET'
|
'/WebGoat/plugins/bootstrap/css/bootstrap.min.css'
|
'info'
|
'low'
end
end
with_them
do
with_them
do
...
...
ee/spec/lib/gitlab/ci/parsers/security/formatters/dast_spec.rb
View file @
ec339d87
...
@@ -3,61 +3,63 @@
...
@@ -3,61 +3,63 @@
require
'spec_helper'
require
'spec_helper'
describe
Gitlab
::
Ci
::
Parsers
::
Security
::
Formatters
::
Dast
do
describe
Gitlab
::
Ci
::
Parsers
::
Security
::
Formatters
::
Dast
do
let
(
:formatter
)
{
described_class
.
new
(
file_vulnerability
)
}
let
(
:formatter
)
{
described_class
.
new
(
parsed_report
)
}
let
(
:file_vulnerability
)
{
parsed_report
[
'site'
].
first
[
'alerts'
][
0
]
}
let
(
:parsed_report
)
do
let
(
:parsed_report
)
do
JSON
.
parse!
(
JSON
.
parse!
(
File
.
read
(
File
.
read
(
Rails
.
root
.
join
(
'ee/spec/fixtures/security_reports/
master/gl-dast-report
.json'
)
Rails
.
root
.
join
(
'ee/spec/fixtures/security_reports/
deprecated/gl-dast-report-no-common-fields
.json'
)
)
)
)
)
end
end
describe
'#format_vulnerability'
do
describe
'#format_vulnerability'
do
let
(
:instance
)
{
file_vulnerability
[
'instances'
][
0
]
}
let
(
:hostname
)
{
'http://goat:8080'
}
let
(
:hostname
)
{
'http://goat:8080'
}
let
(
:file_vulnerability
)
{
parsed_report
[
'site'
].
first
[
'alerts'
][
0
]
}
let
(
:sanitized_desc
)
{
file_vulnerability
[
'desc'
].
gsub
(
'<p>'
,
''
).
gsub
(
'</p>'
,
''
)
}
let
(
:sanitized_desc
)
{
file_vulnerability
[
'desc'
].
gsub
(
'<p>'
,
''
).
gsub
(
'</p>'
,
''
)
}
let
(
:sanitized_solution
)
{
file_vulnerability
[
'solution'
].
gsub
(
'<p>'
,
''
).
gsub
(
'</p>'
,
''
)
}
let
(
:sanitized_solution
)
{
file_vulnerability
[
'solution'
].
gsub
(
'<p>'
,
''
).
gsub
(
'</p>'
,
''
)
}
let
(
:version
)
{
parsed_report
[
'@version'
]
}
let
(
:version
)
{
parsed_report
[
'@version'
]
}
it
'format ZAProxy vulnerability into common format'
do
it
'format ZAProxy vulnerability into common format'
do
data
=
formatter
.
format
(
instance
,
hostname
)
data
=
formatter
.
format
expect
(
data
[
'category'
]).
to
eq
(
'dast'
)
expect
(
data
[
'vulnerabilities'
].
size
).
to
eq
(
24
)
expect
(
data
[
'message'
]).
to
eq
(
'Anti CSRF Tokens Scanner'
)
vulnerability
=
data
[
'vulnerabilities'
][
0
]
expect
(
data
[
'description'
]).
to
eq
(
sanitized_desc
)
expect
(
data
[
'cve'
]).
to
eq
(
'20012'
)
expect
(
vulnerability
[
'category'
]).
to
eq
(
'dast'
)
expect
(
data
[
'severity'
]).
to
eq
(
'high'
)
expect
(
vulnerability
[
'message'
]).
to
eq
(
'Anti CSRF Tokens Scanner'
)
expect
(
data
[
'confidence'
]).
to
eq
(
'medium'
)
expect
(
vulnerability
[
'description'
]).
to
eq
(
sanitized_desc
)
expect
(
data
[
'solution'
]).
to
eq
(
sanitized_solution
)
expect
(
vulnerability
[
'cve'
]).
to
eq
(
'20012'
)
expect
(
data
[
'scanner'
]).
to
eq
({
'id'
=>
'zaproxy'
,
'name'
=>
'ZAProxy'
})
expect
(
vulnerability
[
'severity'
]).
to
eq
(
'high'
)
expect
(
data
[
'links'
]).
to
eq
([{
'url'
=>
'http://projects.webappsec.org/Cross-Site-Request-Forgery'
},
expect
(
vulnerability
[
'confidence'
]).
to
eq
(
'medium'
)
{
'url'
=>
'http://cwe.mitre.org/data/definitions/352.html'
}])
expect
(
vulnerability
[
'solution'
]).
to
eq
(
sanitized_solution
)
expect
(
data
[
'identifiers'
][
0
]).
to
eq
({
expect
(
vulnerability
[
'scanner'
]).
to
eq
({
'id'
=>
'zaproxy'
,
'name'
=>
'ZAProxy'
})
'type'
=>
'ZAProxy_PluginId'
,
expect
(
vulnerability
[
'links'
]).
to
eq
([{
'url'
=>
'http://projects.webappsec.org/Cross-Site-Request-Forgery'
},
'name'
=>
'Anti CSRF Tokens Scanner'
,
{
'url'
=>
'http://cwe.mitre.org/data/definitions/352.html'
}])
'value'
=>
'20012'
,
expect
(
vulnerability
[
'identifiers'
][
0
]).
to
eq
({
'url'
=>
"https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md"
'type'
=>
'ZAProxy_PluginId'
,
})
'name'
=>
'Anti CSRF Tokens Scanner'
,
expect
(
data
[
'identifiers'
][
1
]).
to
eq
({
'value'
=>
'20012'
,
'type'
=>
'CWE'
,
'url'
=>
"https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md"
'name'
=>
"CWE-352"
,
})
'value'
=>
'352'
,
expect
(
vulnerability
[
'identifiers'
][
1
]).
to
eq
({
'url'
=>
"https://cwe.mitre.org/data/definitions/352.html"
'type'
=>
'CWE'
,
})
'name'
=>
"CWE-352"
,
expect
(
data
[
'identifiers'
][
2
]).
to
eq
({
'value'
=>
'352'
,
'type'
=>
'WASC'
,
'url'
=>
"https://cwe.mitre.org/data/definitions/352.html"
'name'
=>
"WASC-9"
,
})
'value'
=>
'9'
,
expect
(
vulnerability
[
'identifiers'
][
2
]).
to
eq
({
'url'
=>
"http://projects.webappsec.org/w/page/13246974/Threat%20Classification%20Reference%20Grid"
'type'
=>
'WASC'
,
})
'name'
=>
"WASC-9"
,
expect
(
data
[
'location'
]).
to
eq
({
'value'
=>
'9'
,
'param'
=>
''
,
'url'
=>
"http://projects.webappsec.org/w/page/13246974/Threat%20Classification%20Reference%20Grid"
'method'
=>
'GET'
,
})
'hostname'
=>
hostname
,
expect
(
vulnerability
[
'location'
]).
to
eq
({
'path'
=>
'/WebGoat/login'
'param'
=>
''
,
})
'method'
=>
'GET'
,
'hostname'
=>
hostname
,
'path'
=>
'/WebGoat/login'
})
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment