Create a code diff to fix Dependency Scanning vulnerabilities - Part I
This issue is to follow intermediate progression on #5656 (closed)
This week (W50), we should complete the following tasks:
-
@fcatteau -
Define the new fields for auto-remediate for frontend -
Update output format to include the API version
-
-
@ayufan -
Update reports to support the new format: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/8701
-
-
@leipert -
Support the new ~"dependency scanning" format : https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/8869
-
Remember we're talking about ~"dependency scanning" here.
refs #5656 (closed)
Report syntax
at the top level:
- move vulnerabilities under
vulnerabilities(array of objects, required) - introduce
version(string, required) - introduce
remediations(array of objects, optional)
vulnerability object:
-
rename(not doable right now)cvetocompare_key(string, required)
remediation object:
-
fixes(array of objects, required), list of fixed vulnerability objects limited tocompare_keycve -
summary(string, required), a summary of what's been done to fix the vulnerability -
diff(string, required), a base 64 encoded patch to be applied in the root directory of the repo (unified diff)
The diff field makes it possible to create a commit, a branch and a MR to automatically fix the vulnerability.
Here's an example where the vulnerability has been truncated:
{
"version": "2.0",
"vulnerabilities": [
{
"category": "dependency_scanning",
"name": "Infinite recursion in parameter entities",
"message": "Infinite recursion in parameter entities in nokogiri",
"description": "libxml2 incorrectly handles certain parameter entities. An attacker can leverage this with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.",
"cve": "rails/Gemfile.lock:nokogiri:gemnasium:6a0d56f6-2441-492a-9b14-edb95ac31919"
}
],
"remediations": [
{
"fixes": [
{
"cve": "rails/Gemfile.lock:nokogiri:gemnasium:6a0d56f6-2441-492a-9b14-edb95ac31919"
}
],
"summary": "Upgrade to rails 5.1.2",
"diff": "ZGlmZiAtLWdpdCBhL3Rlc3QvZml4dHVyZXMveWFybi9wYWNrYWdlLmpzb24g\nYi90ZXN0L2ZpeHR1cmVzL3lhcm4vcGFja2FnZS5qc29uCmluZGV4IDZjNjUy\nY2UuLjAwY2RkZWUgMTAwNjQ0Ci0tLSBhL3Rlc3QvZml4dHVyZXMveWFybi9w\nYWNrYWdlLmpzb24KKysrIGIvdGVzdC9maXh0dXJlcy95YXJuL3BhY2thZ2Uu\nanNvbgpAQCAtNSw2ICs1LDYgQEAKICAgIm1haW4iOiAiaW5kZXguanMiLAog\nICAibGljZW5zZSI6ICJNSVQiLAogICAiZGVwZW5kZW5jaWVzIjogewotICAg\nICJzYW1sMi1qcyI6ICIxLjUuMCIKKyAgICAic2FtbDItanMiOiAifjEuNS4w\nIgogICB9CiB9CmRpZmYgLS1naXQgYS90ZXN0L2ZpeHR1cmVzL3lhcm4veWFy\nbi5sb2NrIGIvdGVzdC9maXh0dXJlcy95YXJuL3lhcm4ubG9jawppbmRleCBh\nY2E5MmVjLi45MDdkZmQwIDEwMDY0NAotLS0gYS90ZXN0L2ZpeHR1cmVzL3lh\ncm4veWFybi5sb2NrCisrKyBiL3Rlc3QvZml4dHVyZXMveWFybi95YXJuLmxv\nY2sKQEAgLTI4LDkgKzI4LDkgQEAgbm9kZS1mb3JnZUAwLjIuMjQ6CiAgIHZl\ncnNpb24gIjAuMi4yNCIKICAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnku\neWFybnBrZy5jb20vbm9kZS1mb3JnZS8tL25vZGUtZm9yZ2UtMC4yLjI0LnRn\neiNmYTZmODQ2ZjQyZmE5M2Y2M2EwYTMwYzlmYmZmN2I0ZTEzMGUwODU4Igog\nCi1zYW1sMi1qc0AxLjUuMDoKLSAgdmVyc2lvbiAiMS41LjAiCi0gIHJlc29s\ndmVkICJodHRwczovL3JlZ2lzdHJ5Lnlhcm5wa2cuY29tL3NhbWwyLWpzLy0v\nc2FtbDItanMtMS41LjAudGd6I2MwZDIyNjhhMTc5ZTczMjlkMjllYjI1YWE4\nMmRmNTUwMzc3NGIwZDkiCitzYW1sMi1qc0B+MS41LjA6CisgIHZlcnNpb24g\nIjEuNS4xIgorICByZXNvbHZlZCAiaHR0cHM6Ly9yZWdpc3RyeS55YXJucGtn\nLmNvbS9zYW1sMi1qcy8tL3NhbWwyLWpzLTEuNS4xLnRneiM3ZDliZGQ1MGY4\nNjMxZDNmNDA2OWFjMjc2ZDE4MmU1NmMwMTg5MzNlIgogICBkZXBlbmRlbmNp\nZXM6CiAgICAgYXN5bmMgIn4xLjUuMiIKICAgICBkZWJ1ZyAiXjEuMC40IgpA\nQCAtNTEsNyArNTEsNyBAQCB1bmRlcnNjb3JlQD49MS41Lng6CiAKIHVuZGVy\nc2NvcmVAfjEuNi4wOgogICB2ZXJzaW9uICIxLjYuMCIKLSAgcmVzb2x2ZWQg\nImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20vdW5kZXJzY29yZS8tL3Vu\nZGVyc2NvcmUtMS42LjAudGd6IzhiMzhiMTBjYWNkZWY2MzMzN2I4YjI0ZTRm\nZjg2ZDQ1YWVhNTI5YTgiCisgIHJlc29sdmVkICJodHRwOi8vcmVnaXN0cnku\nbnBtanMub3JnL3VuZGVyc2NvcmUvLS91bmRlcnNjb3JlLTEuNi4wLnRneiM4\nYjM4YjEwY2FjZGVmNjMzMzdiOGIyNGU0ZmY4NmQ0NWFlYTUyOWE4IgogCiB4\nbWwtY3J5cHRvQF4wLjguMToKICAgdmVyc2lvbiAiMC44LjUiCg==\n"
}
]
}In the future we could introduce remediation steps and list the updates, but this out of scope.
Edited by Fabien Catteau