Container scanning report violates schema when URLs are blank
Summary
https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/pipelines/432106470/security shows several security report schema violations. Upon downloading the artifacts, it seems that this occurs because .vulnerabilities[].identifiers[].url
is an empty string.
There are two issues:
-
The tests don't detect this. I removed all the links from one of the vulnerability report fixtures so that it produces an identifier with an empty URL. The tests assert that this matches the schema. It seems that there is a mis-alignment between the JSON Schema library that we use in Gcs and the JSON Schema library that we use on Rails (are they not the same?)
diff --git a/spec/fixtures/trivy-alpine.json b/spec/fixtures/trivy-alpine.json index 758a0ee..ecd2255 100644 --- a/spec/fixtures/trivy-alpine.json +++ b/spec/fixtures/trivy-alpine.json @@ -31,42 +31,7 @@ "url": "" } ], - "links": [{ - "url": "http://www.securitytracker.com/id/1041605" - },{ - "url": "https://access.redhat.com/errata/RHSA-2018:3558" - },{ - "url": "https://access.redhat.com/errata/RHSA-2019:1880" - },{ - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618" - },{ - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf" - },{ - "url": "https://curl.haxx.se/docs/CVE-2018-14618.html" - },{ - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618" - },{ - "url": "https://github.com/curl/curl/issues/2756" - },{ - "url": "https://linux.oracle.com/cve/CVE-2018-14618.html" - },{ - "url": "https://linux.oracle.com/errata/ELSA-2019-1880.html" - },{ - "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014" - },{ - "url": "https://security.gentoo.org/glsa/201903-03" - },{ - "url": "https://usn.ubuntu.com/3765-1/" - },{ - "url": "https://usn.ubuntu.com/3765-2/" - },{ - "url": "https://usn.ubuntu.com/usn/usn-3765-1" - },{ - "url": "https://usn.ubuntu.com/usn/usn-3765-2" - },{ - "url": "https://www.debian.org/security/2018/dsa-4286" - } - ] + "links": [] }, { "id": "CVE-2018-16839",
-
Rails thinks these reports are invalid, so it will reject them when we begin to enforce validation of security reports &6968 (closed)
Steps to reproduce
Example Project
What is the current bug behavior?
https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/pipelines/432106470/security shows that security reports do not match the schema.
What is the expected correct behavior?
All security reports outputted by Gcs should match the schema.
Possible fixes
- Always populate the url (e.g. use
"https://nvd.nist.gov/vuln/detail/#{identifier['id']}"
as default) - Omit the
url
from identifiers if there isn't one