Update security_findings fix_available filter to include solution field (!137057) · Merge requests · GitLab.org / GitLab

Sashi Kumar Kumaresan requested to merge sk/424963-fix-available into master Nov 15, 2023

What does this MR do and why?

This MR fixes a bug with fix_available filter in scan result policies. Before this fix, we check only finding_data->>remediation_byte_offsets to filter fix_available, but the findings also has finding_data->>solution field which stores the solution to fix the finding. Example value for solution is Upgrade apt to 1.0.1ubuntu2.17

Addresses #424963 (closed)

Database Queries

`fix_available`

SELECT
    "security_findings".*      
FROM
    "security_findings"      
INNER JOIN
    "security_scans"              
        ON "security_findings"."scan_id" = "security_scans"."id"      
WHERE
    "security_scans"."pipeline_id" = 1103024685          
    AND "security_findings"."partition_number" = 88  
    AND "security_findings"."severity" IN (6, 7)        
    AND (
        jsonb_array_length(finding_data -> 'remediation_byte_offsets')::bigint > 0         
        OR COALESCE((finding_data->>'solution')::text, '') <> ''
    )

Plan: https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/24714/commands/78647

`fix_unavailable`

SELECT
    "security_findings".*      
FROM
    "security_findings"      
INNER JOIN
    "security_scans"              
        ON "security_findings"."scan_id" = "security_scans"."id"      
WHERE
    "security_scans"."pipeline_id" = 1103024685          
    AND "security_findings"."partition_number" = 88  
    AND "security_findings"."severity" IN (6, 7)        
    AND ((finding_data -> 'remediation_byte_offsets' IS NULL
        OR jsonb_array_length(finding_data -> 'remediation_byte_offsets')::bigint <= 0)
        AND COALESCE((finding_data->>'solution')::text, '') = '')

Plan: https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/24755/commands/78670

Screenshots

Before Fix (Bug in gitlab.com)

gitlab-org/govern/security-policies/sashis-test-group/test-fix_available!1

After Fix (gdk)

How to set up and validate locally

Create a project with container scanning on a vulnerable image. Eg .gitlab-ci.yml:

include:
  - template: Security/Container-Scanning.gitlab-ci.yml

container_scanning:
  variables:
    CS_IMAGE: 'citizenstig/dvwa:latest'

Create a scan result policy to require approval when a fix is available

type: scan_result_policy
name: Fix Available
description: ''
enabled: true
rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states:
      - detected
      - confirmed
      - dismissed
      - resolved
    branch_type: protected
    vulnerability_attributes:
      fix_available: true
actions:
  - type: require_approval
    approvals_required: 1
    group_approvers_ids:
      - <>

Create a MR that updates README and verify that the approval is required

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Dec 13, 2023 by Sashi Kumar Kumaresan

Update security_findings fix_available filter to include solution field