Dismissed vulnerabilities still shown in the Pipeline security tab
Summary
Some dismissed vulnerabilities are still shown in the pipeline security tab. After checking the report data we saw that the cve
attribute is empty.
Populating the cve
attribute with anything fixes this.
This is seen when using the kics
analizer.
The problem was noticed by a SaaS Ultimate customer, and reported through (only for GitLab employees with Zendesk access) zd-325387. I was able to reproduce this on my local instance as well.
Steps to reproduce
Click to expand
- Create a project which contains the following files.
gl-sast-report.json
{
"version": "14.0.4",
"vulnerabilities": [
{
"id": "5fe4b727cff1b7dfce79a1337718a8b8ba89318dc3de67b8676f388f38454a39",
"category": "sast",
"message": "AWS CloudWatch Log groups should be encrypted using KMS",
"description": "Attribute 'kms_key_id' is undefined",
"cve": "",
"severity": "Critical",
"scanner": {
"id": "kics",
"name": "kics"
},
"location": {
"file": "terraform/modules/lambda-apigw/main.tf",
"start_line": 38
},
"identifiers": [
{
"type": "kics_id",
"name": "CloudWatch Log Group Not Encrypted",
"value": "0afbcfe9-d341-4b92-a64c-7e6de0543879",
"url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group"
}
]
},
{
"id": "144515fa43cc3a1cf0f8a95528cac51291efa8ae0ac6cb4975823c7ccbfd3a1d",
"category": "sast",
"message": "AWS CloudWatch Log groups should be encrypted using KMS",
"description": "Attribute 'kms_key_id' is undefined",
"cve": "",
"severity": "Critical",
"scanner": {
"id": "kics",
"name": "kics"
},
"location": {
"file": "terraform/modules/lambda-function/main.tf",
"start_line": 32
},
"identifiers": [
{
"type": "kics_id",
"name": "CloudWatch Log Group Not Encrypted",
"value": "0afbcfe9-d341-4b92-a64c-7e6de0543879",
"url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group"
}
]
},
{
"id": "eeee448b7ab70e59cdc55b90d6a1a7acef4fc42ad2754e6750a3d42d37ac7661",
"category": "sast",
"message": "IAM Database Auth Enabled must be configured to true",
"description": "'iam_database_authentication_enabled' is set to false",
"cve": "",
"severity": "Critical",
"scanner": {
"id": "kics",
"name": "kics"
},
"location": {
"file": "terraform/modules/postgresdb/main.tf",
"start_line": 13
},
"identifiers": [
{
"type": "kics_id",
"name": "IAM Database Auth Not Enabled",
"value": "88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6",
"url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#iam_database_authentication_enabled"
}
]
},
{
"id": "056d47641802b49f020b40785e994b309035aaf51d368e9d8a579e013e05a562",
"category": "sast",
"message": "S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket=<BUCKET_NAME> --mfa=<MFA_SERIAL_NUMBER>'. Please, also notice that MFA delete can not be used with lifecycle configurations",
"description": "'enabled' is set to false",
"cve": "",
"severity": "Critical",
"scanner": {
"id": "kics",
"name": "kics"
},
"location": {
"file": "terraform/global/aspera_bucket.tf",
"start_line": 10
},
"identifiers": [
{
"type": "kics_id",
"name": "S3 Bucket Without Enabled MFA Delete",
"value": "c5b31ab9-0f26-4a49-b8aa-4cc064392f4d",
"url": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#mfa_delete"
}
]
}
]
}
.gitlab-ci.yml
stages:
- test
sast-test:
stage: test
script:
- echo "dummy sast job"
artifacts:
reports:
sast: gl-sast-report.json
- Run a pipeline and check it's security tab.
- Dismiss all the vulnerabilities.
Note that:
- Only one of the 2
AWS CloudWatch Log groups should be encrypted using KMS
vulnerabilities is removed from the list. - When clicking on one of the vulnerabilities in the list, the modal window shows status
Dismissed
.
- Edit the
gl-sast-report.json
file and add anything in thecve
field. - Dismiss all the vulnerabilities.
Example Project
https://gitlab.com/gitlab-org/security-products/tests/iac/
What is the current bug behavior?
What is the expected correct behavior?
Any vulnerability should be dissmissable.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)