Aggregate noisy DAST vulnerabilities into a single vulnerability

Problem to solve

For a website that exposes Server Leaks Version Information in response headers, a vulnerability will be created for every single request made by DAST/ZAP. This results in many Duplicate True Positives. There are other vulnerabilities that produce multiple results for similar reasons.

This is the first attempt to create a curated set of GitLab DAST vulnerabilities that should be considered as a single vulnerability no matter how many are detected in a single scan.

Vulnerabilities that should be grouped into a single vulnerability:

• Server Leaks Version Information
• Cross-Domain Misconfiguration
• X-Frame-Options Header Not Set
• Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s)
• X-AspNet-Version Response Header
• Httpoxy - Proxy Header Misuse
• Feature Policy Header Not Set
• Apache Range Header DoS (CVE-2011-3192)
• X-ChromeLogger-Data (XCOLD) Header Information Leak
• Information Disclosure - Sensitive Information in HTTP Referrer Header
• Incomplete or No Cache-control and Pragma HTTP Header Set

Intended users

• Sasha (Software Developer)
• Sam (Security Analyst)

Proposal

If any Vulnerabilities that should be grouped vulnerabilities are found:

• Group vulnerabilities using both the plugin ID and severity: #254043 (comment 417720701)
• Only one vulnerability should be reported in the scan
• The location reported with the vulnerability should contain the URL that is first in the alphabetically sorted list of server-leaking URLS. This ensures that vulnerability tracking will work across scans.
  • Alternative: location should be empty so that URL isn't included in vulnerability tracking at all. Let's go with this: #254043 (comment 433072926)
• The evidence should contain the first request/response/summary that is first in the alphabetically sorted list
• The description or solution should include text that indicates how many URLs were affected
• Add vulnerable URLs to the nested details/extra details, else users run a new scan just to find the vulnerability is still there from another URL

Technical details

Backend

1. Update the monolith to support parsing DAST reports with both location and locations fields
2. Update the location field on the DAST report schema to locations
3. Update DAST to produce reports with a locations field
4. Update VulnerabilitiesHelper#vulnerability_details method to include a boolean multiple_locations field
5. TBD: Add a path to generate and download a CSV of all locations and add vulnerability_locations_csv_download_path to VulnerabilitiesHelper#vulnerability_details

Frontend

• Update the VulnerabilityDetails component (ee/app/assets/javascripts/vulnerabilities/components/details.vue).
  • Extract the locations field from the vulnerability object.
  • When locations is not empty:
    • Include the DastModal component (ee/app/assets/javascripts/vue_shared/security_reports/components/dast_modal.vue) and populate its props:
      • locations -> scannerUrls
      • [ ]
      • vulnerability_locations_csv_download_path -> downloadLink
    • The location computed property returns the first item from locations.
    • Add the locations count to the title.
    • Add a link, (and X more) next to the request URL, clicking on the link opens the DastModal.
      • For accessibility reasons, the link should be role="button".
• Specs
  • ee/spec/frontend/vue_shared/security_reports/components/vulnerability_details_spec.js
    • Title contains locations count.
    • Description contains (and X more) link.
    • Clicking on the link opens the modal.

Design

Vulnerability detail page	Modal
Total vulnerability count added to title; and {#} link added to URL in Request section	URL link opens modal with option to download all as CSV

Figma: https://www.figma.com/file/Bo2hAZSaUROU2vmfSjaiwm/Grouped-vulnerabilities?node-id=35%3A679

Design issue: #283946 (closed)

What is the type of buyer?

Gold/Ultimate