Determine if manual Vulnerability creation mutation should respect security scanners schema
Question
Should Mutations::Vulnerabilities::Create
respect security scanner schema?
Current state
Currently our mutation arguments deviate from the schema in some places (thanks @bwill for pointing those out)
-
A vulnerability has a
name
and not atitle
. Looking at the model, I can see that there is both a name and a title, but I'm not sure how the title normally gets set. The report parser does not seem to be responsible for doing it. -
On the security report, an identifier looks like this:
{ "type": "cve", "name": "CVE-2019-20367", "value": "CVE-2019-20367", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20367" }
and the identifier is created from these fields like this:
::Gitlab::Ci::Reports::Security::Identifier.new( external_type: identifier['type'], external_id: identifier['value'], name: identifier['name'], url: identifier['url'])
This is quite different from how
ManuallyCreateService
works. It derives the type from the name (despite there being anexternalType
field), and it also uses the name as theexternal_id
(despite there being anexternalId
field). -
The way that the scanner data is collected is similarly inconsistent.
vulnerabilityCreate
has a top-levelscannerName
field, which is used as both the scanner name and the external_id.Whereas, on the security report, the scanner data is collected using this data in a field named
.scan.scanner
:"scanner": { "id": "starboard_trivy", "name": "Trivy (via Starboard Operator)", "url": "https://github.com/aquasecurity/trivy", "vendor": { "name": "GitLab" }, "version": "0.15.0" }