Update Gemnasium dependency scanner to emit a report with a CVSS vector
Why are we doing this work
In Add optional CVSS vectors to vulnerability objects (gitlab-org/security-products/security-report-schemas!149 - merged), the security report schemas were updated to allow CVSS vectors to be included in the vulnerability objects. This change was made so that customers could filter, sort, and get better context out of their vulnerabilities (full details captured in &11213 (closed)). To take advantage of this, the gemnasium analyzers will also need to include the vectors in the vulnerabilities.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing: The security reports generated by the gemnasium family of analyzers are compatible with the security report schema v15.0.7.
Implementation plan
-
Update the default schema model to version 15. -
Create a new receiver function func (c VulnerabilityConverter) cvssVectors() []report.CVSSVector { /* ... */ }
. It should return the vulnerabilities CVSS vectors.- The order of the slice of vectors returned is important. The order is based on the following precedence.
cvss_v3
->cvss_v2
. - If the primary identifier is of type
cve
, then it should returnNVD
as the vendor, andunknown
otherwise. - See #422031 (comment 1557857966) for details on the vendor name support.
- The order of the slice of vectors returned is important. The order is based on the following precedence.
-
Update the qa/expect/js-npm/default/gl-dependency-scanning-report.json
so that it includes the CVSS vectors in the expected order.- Test that the
cvss_v3
vector is used if not-empty andcvss_v2
if not.
- Test that the
Verification steps
- Verify that the e2e tests that are triggered by the pipeline run produce an updated dependency scanning report.
Edited by Oscar Tovar