DAST evidence no longer appears on the MR widget
Summary
Recent changes to the Secure backend code mean have resulted in the DAST "evidence" no longer being displayed on the GitLab MR. Evidence is important, because it helps a user verify whether or not the vulnerability is a false positive.
Example
In the following screenshot, the Set-Cookie: ...
text is an example of the field that is no longer displayed.
Steps to reproduce
- Create a new test project.
- Set the contents of
.gitlab-ci.yml
to the following:
dast:
script:
- cp report.json gl-dast-report.json
artifacts:
reports:
dast: gl-dast-report.json
- Set the contents of
report.json
to the following:
{
"@generated": "Tue, 22 Oct 2019 01:01:55",
"@version": "D-2019-09-23",
"site": [
{
"@host": "nginx",
"@name": "http://nginx",
"@port": "80",
"@ssl": "false",
"alerts": []
}
],
"spider": {
"progress": "100",
"result": {
"urlsInScope": [],
"urlsIoError": [],
"urlsOutOfScope": []
},
"state": "FINISHED"
}
}
- Make sure both files are committed and pushed, and that the master branch has run successfully. The security dashboard should have no errors.
- On a new branch, update
report.json
to the following:
{
"@generated": "Tue, 22 Oct 2019 01:01:55",
"@version": "D-2019-09-23",
"site": [
{
"@host": "nginx",
"@name": "http://nginx",
"@port": "80",
"@ssl": "false",
"alerts": [
{
"alert": "Anti CSRF Tokens Scanner",
"confidence": "2",
"count": "1",
"cweid": "352",
"desc": "<p>A cross-site request forgery is an attack that involves forcing a victim...</p>",
"instances": [
{
"attack": "",
"evidence": "<form action=\"/myform\" method=\"POST\">",
"method": "GET",
"param": "",
"uri": "http://nginx"
}
],
"name": "Anti CSRF Tokens Scanner",
"otherinfo": "",
"pluginid": "20012",
"reference": "<p>http://projects.webappsec.org/Cross-Site-Request-Forgery</p>",
"riskcode": "3",
"riskdesc": "High (Medium)",
"solution": "<p>Phase: Architecture and Design</p><p>Use a vetted library or framework ...</p>",
"sourceid": "1",
"wascid": "9"
}
]
}
],
"spider": {
"progress": "100",
"result": {
"urlsInScope": [],
"urlsIoError": [],
"urlsOutOfScope": []
},
"state": "FINISHED"
}
}
- Commit and push the branch, create an MR, and wait for the pipeline to run.
- The security widget on the MR should contain one new vulnerability for DAST. This vulnerability should be called
Anti CSRF Tokens Scanner
. - Click on the new vulnerability. On the popup screen,
<form action="/myform" method="POST">
should be displayed as the evidence of vulnerability.
What is the current bug behavior?
When clicking on the MR vulnerability, no evidence is displayed.
What is the expected correct behavior?
The evidence should display.
Example
Edited by Dheeraj Joshi