Vulnerability Page Line of Code Hyperlink Leads to Error - .NET framework SAST finding
Summary
After scanning a .Net framework project (like WebGoat.Net), the finding that shows up in the Security dashboard has a line of code of where the finding is discovered. However, clicking the link on the findings screen leads to the repository screen with an error stating .tests/webgoat.net/WebGoat/App_Code/CookieManager.cs" did not exist on "b96153e91994c196841ba463e01525df075029f8"
Steps to reproduce
- Run SAST using the template on .Net Framework project (e.g: Security team Test Project).
- View the Security Dashboard for the project or the pipeline.
- Pick any one from the SAST findings. Be sure to find one from the .cs or .cs.aspx files.
- click on the hyperlink to the line of code in the
File
field on the vulnerability detail screen. - See error
.tests/webgoat.net/WebGoat/App_Code/CookieManager.cs" did not exist on "b96153e91994c196841ba463e01525df075029f8"
Example Project
https://gitlab.com/gitlab-org/security-products/tests/webgoat.net
What is the current bug behavior?
- Navigating to the Line of code shows error
- JSON report needs updated URLs
What is the expected correct behavior?
Navigating to the line of code should take the user to the appropriate location in the file.
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise.)
Output of checks
(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Suggested fix is looking at the metadata that comes from the scanner.