Store OWASP Top 10 in backend for vulnerability grouping
Summary
Following Spike: Investigate storing OWASP top 10 labels ... (#423557 - closed)
As part of Vulnerability report grouping (&10164) • Bala Kumar, we need to store OWASP Top 10 in backend and either create an endpoint to fetch them or inject them during page load so that they're accessible to the frontend.
Proposed Design:
#267588[design_1692329456491.png]
![#267588[design_1692329456491.png]](https://gitlab.com/gitlab-org/gitlab/-/issues/267588/designs/design_1692329456491.png){kind=link}
Context
See #267588[Group_by_OWASP_top_10_MVC.png] (comment 1475129368) for more context. Expand the Resolved Comments section and look for the thread with number 3.
![#267588[Group_by_OWASP_top_10_MVC.png] (comment 1475129368)](https://gitlab.com/gitlab-org/gitlab/-/issues/267588/designs/Group_by_OWASP_top_10_MVC.png#note_1475129368){kind=link}
Implementation plan
-
database backend Need a column
owasp_top_tenonvulnerability_readstable which we can use similar to the other existing columns likereport_type(tool),severity,state(status).- The backend model for the column should be an enum of OWASP top 10 group names for 2017 and 2021.
- We may have to create additional index on this column to support the grouping latter during the GraphQL filter API implementation.
enum owasp_top_10: {
"A1:2017-Injection" => 1,
"A2:2017-Broken Authentication" => 2,
"A3:2017-Sensitive Data Exposure" => 3,
"A4:2017-XML External Entities (XXE)" => 4,
"A5:2017-Broken Access Control" => 5,
"A6:2017-Security Misconfiguration" => 6,
"A7:2017-Cross-Site Scripting (XSS)" => 7,
"A8:2017-Insecure Deserialization" => 8,
"A9:2017-Using Components with Known Vulnerabilities" => 9,
"A10:2017-Insufficient Logging & Monitoring" => 10,
"A1:2021-Broken Access Control" => 11,
"A2:2021-Cryptographic Failures" => 12,
"A3:2021-Injection" => 13,
"A4:2021-Insecure Design" => 14,
"A5:2021-Security Misconfiguration" => 15,
"A6:2021-Vulnerable and Outdated Components" => 16,
"A7:2021-Identification and Authentication Failures" => 17,
"A8:2021-Software and Data Integrity Failures" => 18,
"A9:2021-Security Logging and Monitoring Failures" => 19,
"A10:2021-Server-Side Request Forgery" => 20
}
-
database backend Add a new task to the end of the ingestion tasks to populate
vulnerability_reads.owasp_top_tencolumn with the identifier name such that it is of the OWASP format (Example: 'A03:2021-Injection').- During ingestion include identifier names with prefix format
A[*]:2021and map them to the long name ('A[*]:2021-[Broken Access Control | Cryptographic Failures | ...]'). Reason being the short format is the maximum observed records on production.
- During ingestion include identifier names with prefix format
-
database backend Backfill column
vulnerability_reads.owasp_top_tenfrom the tablevulnerability_identifiersfiltering forvulnerability_identifiers.external_type = 'owasp'.- During backfill also include
vulnerability_identifiers.external_idwith the prefixA*:2021and map them to the long format name onvulnerability_reads.owasp_top_ten.
- During backfill also include
Once the data is available and this issue is closed we can add the filter capabilities to the vulnerabilitySeveritiesCount GraphQL API for frontend to use, tracked in #432618 (closed)