Vuln export CVE column sometimes had non-CVE data
Defect Description
Tested on https://staging.gitlab.com/secure-team-test/security-reports/-/security/dashboard
Sometimes CVE data is in this field. Sometimes it has other data.
Perhaps the column is mislabeled?
Expected Behavior
- The
CVE
column should list only identifiers that have type ofcve
. - The
CWE
column should list only identifiers that have type ofcwe
. - The
Other Identifiers
column should list only identifiers that have type different fromcwe
orcve
. - Only the identifier or identifiers for a particular vulnerability appear in this column.
- All identifiers associated with a vulnerability (the
vulnerabilities.identifiers[]
array in the JSON reports) appear in this column.- If more than one identifier, concatenate using a delimiter unlikely to be present in any of the identifiers (for instance:
;
)
- If more than one identifier, concatenate using a delimiter unlikely to be present in any of the identifiers (for instance:
Implementation plan
-
backend Extend VulnerabilityExports::Exporters::CsvService::MAPPING
(https://gitlab.com/gitlab-org/gitlab/blob/7e36d346c29dbd7b884263fbccdaf9ea65281996/ee/app/services/vulnerability_exports/exporters/csv_service.rb#L16) with new fields (by adding new values to this Hash) - remember thatOther Identifiers
should return a list ofidentifiers
separated by separator like;
, -
backend Extend Vulnerability
model to have new methods that will returnfinding_cve
,finding_cwe
andfinding_identifiers
Edited by Alan (Maciej) Paruszewski