Fix container scanning parser

Add custom location object and use it to generate location_fingerprint Remove dead code (metadata_version method) Fix JSON indent (4 spaces => 2 spaces)

Fix container scanning parser
Add custom location object and use it to generate location_fingerprint Remove dead code (metadata_version method) Fix JSON indent (4 spaces => 2 spaces)
eed2bcf0 · Olivier Gonzalez · c7c63b2f · eed2bcf0 · eed2bcf0 · eed2bcf0
Commit eed2bcf0 authored Jan 08, 2019 by Olivier Gonzalez
4 changed files
--- a/ee/lib/gitlab/ci/parsers/security/container_scanning.rb
+++ b/ee/lib/gitlab/ci/parsers/security/container_scanning.rb
@@ -51,26 +51,35 @@ module Gitlab

          def format_vulnerability(vulnerability)
            {
-                'category' => 'container_scanning',
-                'message' => name(vulnerability),
-                'description' => vulnerability['description'],
-                'cve' => vulnerability['vulnerability'],
-                'severity' => translate_severity(vulnerability['severity']),
-                'solution' => solution(vulnerability),
-                'confidence' => 'Medium',
-                'scanner' => { 'id' => 'clair', 'name' => 'Clair' },
-                'identifiers' => [
-                  {
-                      'type' => 'cve',
-                      'name' => vulnerability['vulnerability'],
-                      'value' => vulnerability['vulnerability'],
-                      'url' => vulnerability['link']
-                  }
-                ],
-                'links' => [{ 'url' => vulnerability['link'] }],
-                'priority' => 'Unknown',
-                'url' => vulnerability['link'],
-                'tool' => 'clair'
+              'category' => 'container_scanning',
+              'message' => name(vulnerability),
+              'description' => vulnerability['description'],
+              'cve' => vulnerability['vulnerability'],
+              'severity' => translate_severity(vulnerability['severity']),
+              'solution' => solution(vulnerability),
+              'confidence' => 'Medium',
+              'location' => {
+                'operating_system' => vulnerability["namespace"],
+                'dependency' => {
+                  'package' => {
+                    'name' => vulnerability["featurename"]
+                  },
+                  'version' => vulnerability["featureversion"]
+                }
+              },
+              'scanner' => { 'id' => 'clair', 'name' => 'Clair' },
+              'identifiers' => [
+                {
+                  'type' => 'cve',
+                  'name' => vulnerability['vulnerability'],
+                  'value' => vulnerability['vulnerability'],
+                  'url' => vulnerability['link']
+                }
+              ],
+              'links' => [{ 'url' => vulnerability['link'] }],
+              'priority' => 'Unknown',
+              'url' => vulnerability['link'],
+              'tool' => 'clair'
            }
          end

@@ -99,14 +108,8 @@ module Gitlab
            "#{vulnerability['featurename']} - #{vulnerability['vulnerability']}"
          end

-          def metadata_version(vulnerability)
-            '1.3'
-          end
-
          def generate_location_fingerprint(location)
-            # Location is irrelevant for Clair vulnerabilities.
-            # SHA1 value for 'clair'
-            'cb750fa5a7a31c527d5c15388a432c4ba3338457'
+            Digest::SHA1.hexdigest("#{location['operating_system']}:#{location.dig('dependency', 'package', 'name')}")
          end
        end
      end

--- a/ee/spec/lib/gitlab/ci/parsers/security/container_scanning_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/container_scanning_spec.rb
@@ -32,7 +32,9 @@ describe Gitlab::Ci::Parsers::Security::ContainerScanning do
    end

    it "generates expected location fingerprint" do
-      expect(report.occurrences.first[:location_fingerprint]).to eq('cb750fa5a7a31c527d5c15388a432c4ba3338457')
+      expected = Digest::SHA1.hexdigest('debian:9:glibc')
+
+      expect(report.occurrences.first[:location_fingerprint]).to eq(expected)
    end

    it "generates expected metadata_version" do
@@ -55,6 +57,15 @@ describe Gitlab::Ci::Parsers::Security::ContainerScanning do
            'url' => 'https://security-tracker.debian.org/tracker/CVE-2017-18269'
          }
        ],
+        'location' => {
+          'operating_system' => 'debian:9',
+          'dependency' => {
+            'package' => {
+              'name' => 'glibc'
+            },
+            'version' => '2.24-11+deb9u3'
+          }
+        },
        'links' => [{ 'url' => 'https://security-tracker.debian.org/tracker/CVE-2017-18269' }],
        'description' => 'SSE2-optimized memmove implementation problem.',
        'priority' => 'Unknown',

--- a/spec/fixtures/security-reports/feature-branch/gl-container-scanning-report.json
+++ b/spec/fixtures/security-reports/feature-branch/gl-container-scanning-report.json
 {
-    "image": "registry.gitlab.com/bikebilly/auto-devops-10-6/feature-branch:e7315ba964febb11bac8f5cd6ec433db8a3a1583",
-    "unapproved": [
-        "CVE-2017-15650"
-    ],
-    "vulnerabilities": [
-        {
-            "featurename": "musl",
-            "featureversion": "1.1.14-r15",
-            "vulnerability": "CVE-2017-15650",
-            "namespace": "alpine:v3.4",
-            "description": "",
-            "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15650",
-            "severity": "Medium",
-            "fixedby": "1.1.14-r16"
-        }
-    ]
+  "image": "registry.gitlab.com/bikebilly/auto-devops-10-6/feature-branch:e7315ba964febb11bac8f5cd6ec433db8a3a1583",
+  "unapproved": ["CVE-2017-15650"],
+  "vulnerabilities": [
+    {
+      "featurename": "musl",
+      "featureversion": "1.1.14-r15",
+      "vulnerability": "CVE-2017-15650",
+      "namespace": "alpine:v3.4",
+      "description": "",
+      "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15650",
+      "severity": "Medium",
+      "fixedby": "1.1.14-r16"
+    }
+  ]
 }
--- a/spec/fixtures/security-reports/master/gl-container-scanning-report.json
+++ b/spec/fixtures/security-reports/master/gl-container-scanning-report.json
 {
-    "image": "registry.gitlab.com/groulot/container-scanning-test/master:5f21de6956aee99ddb68ae49498662d9872f50ff",
-    "unapproved": [
-        "CVE-2017-18018",
-        "CVE-2016-2781",
-        "CVE-2017-12424",
-        "CVE-2007-5686",
-        "CVE-2013-4235"
-    ],
-    "vulnerabilities": [
-        {
-            "featurename": "glibc",
-            "featureversion": "2.24-11+deb9u3",
-            "vulnerability": "CVE-2017-18269",
-            "namespace": "debian:9",
-            "description": "SSE2-optimized memmove implementation problem.",
-            "link": "https://security-tracker.debian.org/tracker/CVE-2017-18269",
-            "severity": "Defcon1",
-            "fixedby": "2.24-11+deb9u4"
-        },
-        {
-            "featurename": "glibc",
-            "featureversion": "2.24-11+deb9u3",
-            "vulnerability": "CVE-2017-16997",
-            "namespace": "debian:9",
-            "description": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.",
-            "link": "https://security-tracker.debian.org/tracker/CVE-2017-16997",
-            "severity": "Critical",
-            "fixedby": ""
-        },
-        {
-            "featurename": "glibc",
-            "featureversion": "2.24-11+deb9u3",
-            "vulnerability": "CVE-2018-1000001",
-            "namespace": "debian:9",
-            "description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.",
-            "link": "https://security-tracker.debian.org/tracker/CVE-2018-1000001",
-            "severity": "High",
-            "fixedby": ""
-        },
-        {
-            "featurename": "glibc",
-            "featureversion": "2.24-11+deb9u3",
-            "vulnerability": "CVE-2016-10228",
-            "namespace": "debian:9",
-            "description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
-            "link": "https://security-tracker.debian.org/tracker/CVE-2016-10228",
-            "severity": "Medium",
-            "fixedby": ""
-        },
-        {
-            "featurename": "elfutils",
-            "featureversion": "0.168-1",
-            "vulnerability": "CVE-2018-18520",
-            "namespace": "debian:9",
-            "description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
-            "link": "https://security-tracker.debian.org/tracker/CVE-2018-18520",
-            "severity": "Low",
-            "fixedby": ""
-        },
-        {
-            "featurename": "glibc",
-            "featureversion": "2.24-11+deb9u3",
-            "vulnerability": "CVE-2010-4052",
-            "namespace": "debian:9",
-            "description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
-            "link": "https://security-tracker.debian.org/tracker/CVE-2010-4052",
-            "severity": "Negligible",
-            "fixedby": ""
-        },
-        {
-            "featurename": "nettle",
-            "featureversion": "3.3-1",
-            "vulnerability": "CVE-2018-16869",
-            "namespace": "debian:9",
-            "description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
-            "link": "https://security-tracker.debian.org/tracker/CVE-2018-16869",
-            "severity": "Unknown",
-            "fixedby": ""
-        },
-        {
-            "featurename": "perl",
-            "featureversion": "5.24.1-3+deb9u4",
-            "vulnerability": "CVE-2018-18311",
-            "namespace": "debian:9",
-            "description": "Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
-            "link": "https://security-tracker.debian.org/tracker/CVE-2018-18311",
-            "severity": "Unknown",
-            "fixedby": "5.24.1-3+deb9u5"
-        }
-    ]
-}
\ No newline at end of file
+  "image": "registry.gitlab.com/groulot/container-scanning-test/master:5f21de6956aee99ddb68ae49498662d9872f50ff",
+  "unapproved": [
+    "CVE-2017-18018",
+    "CVE-2016-2781",
+    "CVE-2017-12424",
+    "CVE-2007-5686",
+    "CVE-2013-4235"
+  ],
+  "vulnerabilities": [
+    {
+      "featurename": "glibc",
+      "featureversion": "2.24-11+deb9u3",
+      "vulnerability": "CVE-2017-18269",
+      "namespace": "debian:9",
+      "description": "SSE2-optimized memmove implementation problem.",
+      "link": "https://security-tracker.debian.org/tracker/CVE-2017-18269",
+      "severity": "Defcon1",
+      "fixedby": "2.24-11+deb9u4"
+    },
+    {
+      "featurename": "glibc",
+      "featureversion": "2.24-11+deb9u3",
+      "vulnerability": "CVE-2017-16997",
+      "namespace": "debian:9",
+      "description": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.",
+      "link": "https://security-tracker.debian.org/tracker/CVE-2017-16997",
+      "severity": "Critical",
+      "fixedby": ""
+    },
+    {
+      "featurename": "glibc",
+      "featureversion": "2.24-11+deb9u3",
+      "vulnerability": "CVE-2018-1000001",
+      "namespace": "debian:9",
+      "description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.",
+      "link": "https://security-tracker.debian.org/tracker/CVE-2018-1000001",
+      "severity": "High",
+      "fixedby": ""
+    },
+    {
+      "featurename": "glibc",
+      "featureversion": "2.24-11+deb9u3",
+      "vulnerability": "CVE-2016-10228",
+      "namespace": "debian:9",
+      "description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
+      "link": "https://security-tracker.debian.org/tracker/CVE-2016-10228",
+      "severity": "Medium",
+      "fixedby": ""
+    },
+    {
+      "featurename": "elfutils",
+      "featureversion": "0.168-1",
+      "vulnerability": "CVE-2018-18520",
+      "namespace": "debian:9",
+      "description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
+      "link": "https://security-tracker.debian.org/tracker/CVE-2018-18520",
+      "severity": "Low",
+      "fixedby": ""
+    },
+    {
+      "featurename": "glibc",
+      "featureversion": "2.24-11+deb9u3",
+      "vulnerability": "CVE-2010-4052",
+      "namespace": "debian:9",
+      "description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
+      "link": "https://security-tracker.debian.org/tracker/CVE-2010-4052",
+      "severity": "Negligible",
+      "fixedby": ""
+    },
+    {
+      "featurename": "nettle",
+      "featureversion": "3.3-1",
+      "vulnerability": "CVE-2018-16869",
+      "namespace": "debian:9",
+      "description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
+      "link": "https://security-tracker.debian.org/tracker/CVE-2018-16869",
+      "severity": "Unknown",
+      "fixedby": ""
+    },
+    {
+      "featurename": "perl",
+      "featureversion": "5.24.1-3+deb9u4",
+      "vulnerability": "CVE-2018-18311",
+      "namespace": "debian:9",
+      "description": "Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
+      "link": "https://security-tracker.debian.org/tracker/CVE-2018-18311",
+      "severity": "Unknown",
+      "fixedby": "5.24.1-3+deb9u5"
+    }
+  ]
+}