Shortest path not displayed in vulnerability page
Summary
In the Evidence
section of the vulnerability page showing a Dependency Scanning vulnerability with dependency path information,
-
Shortest path
has no value. -
Introduced by package
is missing. -
Vulnerable Package
is missing.
Steps to reproduce
- Create a project.
- Add dependencies to the default branch using of the package managers listed in https://docs.gitlab.com/ee/user/application_security/dependency_list/#dependency-paths, including one that matches vulnerabilities of https://gitlab.com/gitlab-org/security-products/gemnasium-db.
- Set up Dependency Scanning.
- Go to the vulnerability report, click on one of the Dependency Scanning vulnerabilities, and check the
Evidence
section at the bottom of the page.
Example Project
https://gitlab.com/gitlab-org/security-products/tests/js-yarn/-/security/vulnerabilities/4009363
What is the current bug behavior?
-
Shortest path
has no value. -
Introduced by package
is missing. -
Vulnerable Package
is missing.
What is the expected correct behavior?
The Evidence
section has the following fields along with values:
Shortest path
Introduced by package
Vulnerable Package
Relevant logs and/or screenshots
See https://gitlab.com/gitlab-org/security-products/tests/js-yarn/-/security/vulnerabilities/4009363
Here's the vulnerability details
field of the corresponding JSON object, extracted from the report:
{
"details": {
"introduced_by_package": {
"type": "text",
"name": "Introduced by Package",
"value": "coveralls:3.0.0"
},
"shortest_path": {
"type": "list",
"name": "Shortest Path",
"items": [
{
"type": "text",
"value": "coveralls:3.0.0"
},
{
"type": "text",
"value": "log-driver:1.2.6"
},
{
"type": "text",
"value": "codecov.io:0.0.1"
},
{
"type": "text",
"value": "request:2.42.0"
},
{
"type": "text",
"value": "hawk:1.1.1"
}
]
},
"vulnerable_package": {
"type": "text",
"name": "Vulnerable Package",
"value": "cryptiles:0.2.2"
}
}
}
Output of checks
This bug happens on GitLab.com:
GitLab Enterprise Edition 16.8.0-pre 4518fac5
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)