Make unknown default confidence for container scanning

Write background migrations
Write tests for background_migration

db/post_migrate/20190909141517_update_cs_vulnerability_confidence_column.rb

+# frozen_string_literal: true
+
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+class UpdateCsVulnerabilityConfidenceColumn < ActiveRecord::Migration[5.2]
+  include Gitlab::Database::MigrationHelpers
+
+  disable_ddl_transaction!
+
+  DOWNTIME = false
+  BATCH_SIZE = 1_000
+  INTERVAL = 5.minutes
+
+  # 137_424 records to be updated on GitLab.com,
+  # giving us an estimated runtime of 12 hours.
+  def up
+    migration = Gitlab::BackgroundMigration::UpdateVulnerabilityConfidence
+    migration_name = migration.to_s.demodulize
+    relation = migration::Occurrence.container_scanning_reports_with_medium_confidence
+    queue_background_migration_jobs_by_range_at_intervals(relation,
+                                                          migration_name,
+                                                          INTERVAL,
+                                                          batch_size: BATCH_SIZE)
+  end
+
+  def down
+    # no-op
+  end
+end

ee/changelogs/unreleased/remove-medium-from-cs-ee.yml

+---
+title: Remove hardcoded Medium confidence for Container Scanning vulnerabilities
+merge_request: 16395
+author:
+type: fixed

ee/lib/gitlab/ci/parsers/security/formatters/container_scanning.rb

@@ -20,7 +20,7 @@ module Gitlab
                 'cve' => formatted_vulnerability.cve,
                 'severity' => formatted_vulnerability.severity,
                 'solution' => formatted_vulnerability.solution,
-                'confidence' => 'Medium',
+                'confidence' => 'Unknown',
                 'location' => {
                   'image' => image,
                   'operating_system' => formatted_vulnerability.operating_system,

ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb

@@ -140,7 +140,7 @@ describe Security::PipelineVulnerabilitiesFinder do
         subject { described_class.new(pipeline: pipeline).execute }
 
         it 'returns all vulnerability confidence levels' do
-          expect(subject.map(&:confidence).uniq).to match_array %w[undefined low medium high]
+          expect(subject.map(&:confidence).uniq).to match_array %w[undefined unknown low medium high]
         end
       end
 
@@ -159,7 +159,7 @@ describe Security::PipelineVulnerabilitiesFinder do
 
         it 'filters by all params' do
           expect(subject.count).to eq cs_count + dast_count + ds_count + sast_count
-          expect(subject.map(&:confidence).uniq).to match_array %w[undefined low medium high]
+          expect(subject.map(&:confidence).uniq).to match_array %w[undefined unknown low medium high]
           expect(subject.map(&:severity).uniq).to match_array %w[undefined unknown low medium high critical]
         end
       end

ee/spec/lib/gitlab/ci/parsers/security/formatters/container_scanning_spec.rb

@@ -20,7 +20,7 @@ describe Gitlab::Ci::Parsers::Security::Formatters::ContainerScanning do
       expect(formatter.format(vulnerability)).to eq( {
         'category' => 'container_scanning',
         'message' => 'CVE-2017-18269 in glibc',
-        'confidence' => 'Medium',
+        'confidence' => 'Unknown',
         'cve' => 'CVE-2017-18269',
         'identifiers' => [
           {

lib/gitlab/background_migration/update_vulnerability_confidence.rb

+# frozen_string_literal: true
+# rubocop:disable Style/Documentation
+module Gitlab
+  module BackgroundMigration
+    class UpdateVulnerabilityConfidence
+      class Occurrence < ActiveRecord::Base
+        include ::EachBatch
+
+        self.table_name = 'vulnerability_occurrences'
+
+        REPORT_TYPES = {
+          container_scanning: 2
+        }.freeze
+
+        CONFIDENCE_LEVELS = {
+          unknown: 2,
+          medium: 5
+        }.freeze
+
+        enum confidences: CONFIDENCE_LEVELS
+        enum report_type: REPORT_TYPES
+
+        def self.container_scanning_reports_with_medium_confidence
+          where(report_type: self.report_types[:container_scanning], confidence: self.confidences[:medium])
+        end
+      end
+
+      def perform(start_id, stop_id)
+        Occurrence.container_scanning_reports_with_medium_confidence
+                  .where(id: start_id..stop_id)
+                  .update_all(confidence: Occurrence.confidences[:unknown])
+      end
+    end
+  end
+end

spec/lib/gitlab/background_migration/update_vulnerability_confidence_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::BackgroundMigration::UpdateVulnerabilityConfidence, :migration, schema: 20190909141517 do
+  let(:vulnerabilities) { table(:vulnerability_occurrences) }
+  let(:identifiers) { table(:vulnerability_identifiers) }
+  let(:scanners) { table(:vulnerability_scanners) }
+  let(:projects) { table(:projects) }
+  let(:vul1) { attributes_for(:vulnerabilities_occurrence) }
+  let(:vul2) { attributes_for(:vulnerabilities_occurrence) }
+  let(:vul3) { attributes_for(:vulnerabilities_occurrence) }
+
+  it 'updates confidence level for container scanning reports' do
+    projects.create!(id: 123, namespace_id: 12, name: 'gitlab', path: 'gitlab')
+
+    (1..3).to_a.each do |identifier_id|
+      identifiers.create!(id: identifier_id,
+                          project_id: 123,
+                          fingerprint: 'd432c2ad2953e8bd587a3a43b3ce309b5b0154c' + identifier_id.to_s,
+                          external_type: 'SECURITY_ID',
+                          external_id: 'SECURITY_0',
+                          name: 'SECURITY_IDENTIFIER 0')
+    end
+
+    scanners.create!(id: 6, project_id: 123, external_id: 'clair', name: 'Security Scanner')
+
+    vulnerabilities.create!(container_scanning_vuln_params(vul1, 1))
+    vulnerabilities.create!(container_scanning_vuln_params(vul2, 2))
+    vulnerabilities.create!(container_scanning_vuln_params(vul3, 3).merge(report_type: 1))
+
+    expect(vulnerabilities.where(report_type: 2, confidence: 2).count). to eq(0)
+    expect(vulnerabilities.exists?(report_type: 2, confidence: 5)).to be_truthy
+
+    described_class.new.perform(1, 3)
+
+    expect(vulnerabilities.exists?(report_type: 2, confidence: 5)).to be_falsy
+    expect(vulnerabilities.where(report_type: 2, confidence: 2).count). to eq(2)
+  end
+
+  def container_scanning_vuln_params(vul, primary_identifier_id)
+    {
+      id: vul[:id],
+      severity: 2,
+      confidence: 5,
+      report_type: 2,
+      project_id: 123,
+      scanner_id: 6,
+      primary_identifier_id: primary_identifier_id,
+      project_fingerprint: vul[:project_fingerprint],
+      location_fingerprint: vul[:location_fingerprint],
+      uuid: vul[:uuid],
+      name: vul[:name],
+      metadata_version: '1.3',
+      raw_metadata: vul3[:raw_metadata]
+    }
+  end
+end

spec/migrations/update_cs_vulnerability_confidence_column_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+require Rails.root.join('db', 'post_migrate', '20190909141517_update_cs_vulnerability_confidence_column.rb')
+
+describe UpdateCsVulnerabilityConfidenceColumn, :migration, :sidekiq do
+  let(:vulnerabilities) { table(:vulnerability_occurrences) }
+  let(:identifiers) { table(:vulnerability_identifiers) }
+  let(:scanners) { table(:vulnerability_scanners) }
+  let(:projects) { table(:projects) }
+  let(:vul1) { attributes_for(:vulnerabilities_occurrence, id: 1, report_type: 2, confidence: 5) }
+  let(:vul2) { attributes_for(:vulnerabilities_occurrence, id: 2, report_type: 2, confidence: 5) }
+
+  before do
+    stub_const("#{described_class}::BATCH_SIZE", 2)
+  end
+
+  it 'updates confidence levels for container scanning reports' do
+    projects.create!(id: 123, namespace_id: 12, name: 'gitlab', path: 'gitlab')
+
+    identifiers.create!(id: 1,
+                        project_id: 123,
+                        fingerprint: 'd432c2ad2953e8bd587a3a43b3ce309b5b0154c2',
+                        external_type: 'SECURITY_ID',
+                        external_id: 'SECURITY_0',
+                        name: 'SECURITY_IDENTIFIER 0')
+
+    identifiers.create!(id: 2,
+                        project_id: 123,
+                        fingerprint: 'd432c2ad2953e8bd587a3a43b3ce309b5b0154c3',
+                        external_type: 'SECURITY_ID',
+                        external_id: 'SECURITY_0',
+                        name: 'SECURITY_IDENTIFIER 0')
+
+    scanners.create!(id: 6, project_id: 123, external_id: 'clair', name: 'Security Scanner')
+
+    vulnerabilities.create!(id: vul1[:id],
+                            severity: 2,
+                            confidence: 5,
+                            report_type: 2,
+                            project_id: 123,
+                            scanner_id: 6,
+                            primary_identifier_id: 1,
+                            project_fingerprint: vul1[:project_fingerprint],
+                            location_fingerprint: vul1[:location_fingerprint],
+                            uuid: vul1[:uuid],
+                            name: vul1[:name],
+                            metadata_version: '1.3',
+                            raw_metadata: vul1[:raw_metadata])
+
+    vulnerabilities.create!(id: vul2[:id],
+                            severity: 2,
+                            confidence: 5,
+                            report_type: 2,
+                            project_id: 123,
+                            scanner_id: 6,
+                            primary_identifier_id: 2,
+                            project_fingerprint: vul2[:project_fingerprint],
+                            location_fingerprint: vul2[:location_fingerprint],
+                            uuid: vul2[:uuid],
+                            name: vul2[:name],
+                            metadata_version: '1.3',
+                            raw_metadata: vul2[:raw_metadata])
+
+    expect(vulnerabilities.where(report_type: 2, confidence: 2).count). to eq(0)
+    expect(vulnerabilities.exists?(report_type: 2, confidence: 5)).to be_truthy
+
+    migrate!
+
+    expect(vulnerabilities.exists?(report_type: 2, confidence: 5)).to be_falsy
+    expect(vulnerabilities.where(report_type: 2, confidence: 2).count). to eq(2)
+  end
+end