Add full Webhook event support for Vulnerabilities
What does this MR do and why?
This MR will add full Webhook event support for Vulnerabilities by extending the work from Add vulnerabilities as supported webhook events... (!169701 - merged). It covers sending a webhook event when:
-
A Vulnerability is manually:
- Created
- Updated
-
A Vulnerability is programmatically (e.g. via CI):
- Created
- Updated (need to confirm)
-
An Issue linking to a Vulnerability is:
- Created
References
Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screen recording
Kapture_2025-01-08_at_15.55.59.h264
JSON webhook event example
{
"object_kind": "vulnerability",
"object_attributes": {
"url": "https://example.com/flightjs/Flight/-/security/vulnerabilities/1",
"title": "REXML DoS vulnerability",
"state": "confirmed",
"project_id": 50,
"location": {
"file": "Gemfile.lock",
"dependency": {
"package": {
"name": "rexml"
},
"version": "3.3.1"
}
},
"cvss": [
{
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"vendor": "NVD"
}
],
"severity": "high",
"severity_overridden": false,
"identifiers": [
{
"name": "Gemnasium-29dce398-220a-4315-8c84-16cd8b6d9b05",
"external_id": "29dce398-220a-4315-8c84-16cd8b6d9b05",
"external_type": "gemnasium",
"url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/rexml/CVE-2024-41123.yml"
},
{
"name": "CVE-2024-41123",
"external_id": "CVE-2024-41123",
"external_type": "cve",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41123"
}
],
"issues": [
{
"title": "REXML ReDoS vulnerability",
"url": "https://example.com/flightjs/Flight/-/issues/1",
"created_at": "2025-01-08T00:46:14.429Z",
"updated_at": "2025-01-08T00:46:14.429Z"
}
],
"report_type": "dependency_scanning",
"confidence": "unknown",
"confidence_overridden": false,
"confirmed_at": "2025-01-08T00:46:14.413Z",
"confirmed_by_id": 1,
"dismissed_at": null,
"dismissed_by_id": null,
"resolved_on_default_branch": false,
"created_at": "2025-01-08T00:46:14.413Z",
"updated_at": "2025-01-08T00:46:14.413Z"
}
}How to set up and validate locally
Prep work
- Ensure you have Docker running on your machine.
- Run the following to start up an instance of request basket
docker run --pull always --rm -ti -p 1234:55555 darklynx/request-baskets. - In a new tab, visit http://localhost:1234/web, click 'Create' and then 'Open Basket'.
- Copy into your clipboard the URL listed as part of
This basket is empty, send requests to http://localhost:1234/<basket> and they will appear here..
GDK
- In a new tab, bring up your GDK, ensuringe you have an EE license configured.
- Create a new Project, calling it
vulnerabilities-webhook-events. - Visit Settings > Webhooks and click 'Add a new webhook'.
- In the 'URL' field, enter the URL obtained from Prep work step 4.
- Scroll down until you see 'Vulnerability events' and check the box.
- Uncheck the 'Enable SSL verification' checkbox unless you have HTTPS configured for your GDK and click 'Add webhook'.
Test 'Vulnerability events' from Webhook settings
- From the Webhook list, click the 'Test' button and select 'Vulnerability events'.
- Go back to your 'request basket' tab and you should see an event in JSON format.
Related to #366770 (closed)