Update security_findings fix_available filter to include solution field
What does this MR do and why?
This MR fixes a bug with fix_available
filter in scan result policies. Before this fix, we check only finding_data->>remediation_byte_offsets
to filter fix_available
, but the findings also has finding_data->>solution
field which stores the solution to fix the finding. Example value for solution is Upgrade apt to 1.0.1ubuntu2.17
Addresses #424963 (closed)
Database Queries
fix_available
SELECT
"security_findings".*
FROM
"security_findings"
INNER JOIN
"security_scans"
ON "security_findings"."scan_id" = "security_scans"."id"
WHERE
"security_scans"."pipeline_id" = 1103024685
AND "security_findings"."partition_number" = 88
AND "security_findings"."severity" IN (6, 7)
AND (
jsonb_array_length(finding_data -> 'remediation_byte_offsets')::bigint > 0
OR COALESCE((finding_data->>'solution')::text, '') <> ''
)
Plan: https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/24714/commands/78647
fix_unavailable
SELECT
"security_findings".*
FROM
"security_findings"
INNER JOIN
"security_scans"
ON "security_findings"."scan_id" = "security_scans"."id"
WHERE
"security_scans"."pipeline_id" = 1103024685
AND "security_findings"."partition_number" = 88
AND "security_findings"."severity" IN (6, 7)
AND ((finding_data -> 'remediation_byte_offsets' IS NULL
OR jsonb_array_length(finding_data -> 'remediation_byte_offsets')::bigint <= 0)
AND COALESCE((finding_data->>'solution')::text, '') = '')
Plan: https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/24755/commands/78670
Screenshots
Before Fix (Bug in gitlab.com)
gitlab-org/govern/security-policies/sashis-test-group/test-fix_available!1
After Fix (gdk)
How to set up and validate locally
- Create a project with container scanning on a vulnerable image. Eg
.gitlab-ci.yml
:
include:
- template: Security/Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
CS_IMAGE: 'citizenstig/dvwa:latest'
- Create a scan result policy to require approval when a fix is available
type: scan_result_policy
name: Fix Available
description: ''
enabled: true
rules:
- type: scan_finding
scanners: []
vulnerabilities_allowed: 0
severity_levels: []
vulnerability_states:
- detected
- confirmed
- dismissed
- resolved
branch_type: protected
vulnerability_attributes:
fix_available: true
actions:
- type: require_approval
approvals_required: 1
group_approvers_ids:
- <>
- Create a MR that updates README and verify that the approval is required
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.