Attribute code from a gosec finding is not displayed in GitLab
Summary
Not all attributes that gosec
provides for findings are displayed in GitLab. Here is the raw output from gosec
for a finding:
{
"severity": "MEDIUM",
"confidence": "HIGH",
"cwe": {
"ID": "78",
"URL": "https://cwe.mitre.org/data/definitions/78.html"
},
"rule_id": "G204",
"details": "Subprocess launched with function call as argument or cmd arguments",
"file": "/Users/da/git/gitaly/internal/supervisor/supervisor.go",
"code": "exec.Command(p.args[0], p.args[1:]...)",
"line": "89",
"column": "9"
},
In particular, code
is not displayed in GitLab. It would be useful to have this information.
Steps to reproduce
- Open a
gosec
finding in the Security Dashboard - Note that
code
is not displayed
Example Project
Implementation Plan
- Update
common
andsecurity-report-schema
withissue.source_code_extract
field - Bump
common
forgosec
and include mapping ofcode
to `source_code_extract - Consume
source_code_extract
field within UI1
-
NOTE: depending on the outcome of gitlab-org/security-products/analyzers/common!126 (comment 425749064) this will require some sanitization of the relevant data
↩
Edited by Lucas Charles