For a public repository, where security issues are found, it doesn't appear you can fork it into a private repo so you can create a private pull request to fix the issue.
Summary
I cloned an OWASP Web Application project (OWASP Benchmark) into gitlab at: https://gitlab.com/wichers/benchmark
And the first thing I did was to enable the AppSec tools scanner w/AutoDevOps enabled. Most of the scans ran fine, and when I looked at the Container Security issues identified I ran into three issues.
Steps to reproduce
- Run the AppSec tools on a project that includes 1 or more Docker containers
- Immediately after it is complete, look at a Container Security issue: Issue: 1) The container being scanned was not listed in the issue. Issue: 2) 'Create issue' function simply returns 'Error'.
- For a public repository, where security issues are found, it doesn't appear you can fork it into a private repo so you can create a private pull request to fix the issue.
Example Project
https://gitlab.com/wichers/benchmark
What is the current bug behavior?
Issue: 1) The docker image that was scanned did not appear to be listed initially in the container security issue. Eventually, (not sure when) the image info was added to the finding. e.g.,
Image: registry.gitlab.com/wichers/benchmark/master:8dcf63f1d0f3f9a46c3e6d31df10753f19d2aa41
This was very confusing to understand what gitlab analyzed in the first place, relative to the issue being reported. After it finally added this info, things were more clear.
Issue: 2) When I initially tried to 'Create issue' using the button at the bottom right, it simply said 'Error', with no explanation. Later on, (I tried 3 days later), it worked fine.
This was confusing/unexpected.
Issue: 3) when I try to create a private pull request, it says I have to create a private fork. So I go here: https://gitlab.com/wichers/benchmark/-/forks/new - and it says this:
Fork project
A fork is a copy of a project. Forking a repository allows you to make changes without affecting the original project. No available namespaces to fork the project. You must have permission to create a project in a namespace before forking.
Is there a way, or can you change your policy, to allow private forks of public repos for specifically this purpose, so open source developers can work on fixing security issues in their open source projects (privately)?
Or am I simply doing it wrong?
What is the expected correct behavior?
Issue 1) If adding the registry reference is delayed, put a placeholder in the finding that indicates it's coming, but still being processed. Maybe something like:
Image: registry.gitlab.com/wichers/benchmark/master:PLACEHOLDER (The image ID is still being calculated. Once Docker image is stored, PLACEHOLDER will be filled in.) [Or whatever you think makes the most sense to say.]
Or, even better, if there is a way to get this to show up IMMEDIATELY, that would be even better.
Issue 2) If 'Create issue' won't work for a new issue for a little while until things 'catch up', Gray out the button and explain what it is waiting on, or provide a useful error message explaining why it can't create the issue now, and when the can expect to be able to.
Issue 3) For creating a private fork of a public project, that it would be allowed? Maybe only for autocreated security issues or something? Not sure what the business reason is for not allowing open source projects to do this.
Relevant logs and/or screenshots
None
Output of checks
This bug happens on GitLab.com.
Possible fixes
See correct behavior explanation.
Linked Issues
- For a public repository, where security issues are found, it doesn't appear you can fork it into a private repo so you can create a private pull request to fix the issue.
- "The container being scanned was not listed in the issue"
- When I initially tried to 'Create issue' using the button at the bottom right, it simply said 'Error', with no explanation