Add full Webhook event support for Vulnerabilities
What does this MR do and why?
This MR will add full Webhook event support for Vulnerabilities by extending the work from Add vulnerabilities as supported webhook events... (!169701 - merged). It covers sending a webhook event when:
-
A Vulnerability is manually:
- Created
- Updated
-
A Vulnerability is programmatically (e.g. via CI):
- Created
- Updated (need to confirm)
-
An Issue linking to a Vulnerability is:
- Created
References
Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screen recording
Kapture_2025-01-08_at_15.55.59.h264
JSON webhook event example
{
"object_kind": "vulnerability",
"object_attributes": {
"url": "https://example.com/flightjs/Flight/-/security/vulnerabilities/1",
"title": "REXML DoS vulnerability",
"state": "confirmed",
"project_id": 50,
"location": {
"file": "Gemfile.lock",
"dependency": {
"package": {
"name": "rexml"
},
"version": "3.3.1"
}
},
"cvss": [
{
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"vendor": "NVD"
}
],
"severity": "high",
"severity_overridden": false,
"identifiers": [
{
"name": "Gemnasium-29dce398-220a-4315-8c84-16cd8b6d9b05",
"external_id": "29dce398-220a-4315-8c84-16cd8b6d9b05",
"external_type": "gemnasium",
"url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/rexml/CVE-2024-41123.yml"
},
{
"name": "CVE-2024-41123",
"external_id": "CVE-2024-41123",
"external_type": "cve",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41123"
}
],
"issues": [
{
"title": "REXML ReDoS vulnerability",
"url": "https://example.com/flightjs/Flight/-/issues/1",
"created_at": "2025-01-08T00:46:14.429Z",
"updated_at": "2025-01-08T00:46:14.429Z"
}
],
"report_type": "dependency_scanning",
"confidence": "unknown",
"confidence_overridden": false,
"confirmed_at": "2025-01-08T00:46:14.413Z",
"confirmed_by_id": 1,
"dismissed_at": null,
"dismissed_by_id": null,
"resolved_on_default_branch": false,
"created_at": "2025-01-08T00:46:14.413Z",
"updated_at": "2025-01-08T00:46:14.413Z"
}
}
How to set up and validate locally
Prep work
- Ensure you have Docker running on your machine.
- Run the following to start up an instance of request basket
docker run --pull always --rm -ti -p 1234:55555 darklynx/request-baskets
. - In a new tab, visit http://localhost:1234/web, click 'Create' and then 'Open Basket'.
- Copy into your clipboard the URL listed as part of
This basket is empty, send requests to http://localhost:1234/<basket> and they will appear here.
.
GDK
- In a new tab, bring up your GDK, ensuringe you have an EE license configured.
- Create a new Project, calling it
vulnerabilities-webhook-events
. - Visit Settings > Webhooks and click 'Add a new webhook'.
- In the 'URL' field, enter the URL obtained from Prep work step 4.
- Scroll down until you see 'Vulnerability events' and check the box.
- Uncheck the 'Enable SSL verification' checkbox unless you have HTTPS configured for your GDK and click 'Add webhook'.
Test 'Vulnerability events' from Webhook settings
- From the Webhook list, click the 'Test' button and select 'Vulnerability events'.
- Go back to your 'request basket' tab and you should see an event in JSON format.
Related to #366770 (closed)
Merge request reports
Activity
changed milestone to %17.8
assigned to @ashmckenzie
added Technical Writing devopssecurity risk management labels
mentioned in issue #366770 (closed)
added docs-only label
added 11 commits
-
2dd472c9...cfd61e51 - 10 commits from branch
master
- 77d09b4a - Full support for Vulnerability Webhook events
-
2dd472c9...cfd61e51 - 10 commits from branch
- A deleted user
added backend label
1 Message This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge. Documentation review
The following files require a review from a technical writer:
-
doc/user/project/integrations/webhook_events.md
(Link to current live version)
The review does not need to block merging this merge request. See the:
-
Metadata for the
*.md
files that you've changed. The first few lines of each*.md
file identify the stage and group most closely associated with your docs change. - The Technical Writer assigned for that stage and group.
- Documentation workflows for information on when to assign a merge request for review.
Reviewer roulette
Category Reviewer Maintainer backend @mbenayoun
(UTC+2, 9 hours behind author)
@mattkasa
(UTC-8, 19 hours behind author)
frontend @fdegier
(UTC+1, 10 hours behind author)
@elwyn-gitlab
(UTC+13, 2 hours ahead of author)
Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.
If needed, you can retry the
danger-review
job that generated this comment.Generated by
Danger-
removed docs-only label
removed Technical Writing label
added Technical Writing label
added groupsecurity infrastructure label
- Resolved by Ash McKenzie
@bwill, @bala.kumar, @ghavenga and @minac before I go deeper into this, adding specs etc, may I please have your thoughts on this WIP MR? I made the changes based on the suggestions from this thread. It appears to work as expected so just wanted to verify the changes look suitable before I continue.
Thanks in advance. cc @dagron1
mentioned in merge request !176225 (closed)
added 1261 commits
-
77d09b4a...7fc09f38 - 1260 commits from branch
master
- c5fdd702 - Full support for Vulnerability Webhook events
-
77d09b4a...7fc09f38 - 1260 commits from branch
- A deleted user
added documentation frontend labels
added 1 commit
- 7b9b8c1a - Full support for Vulnerability Webhook events
added 1 commit
- 170e8340 - Full support for Vulnerability Webhook events
added 242 commits
-
170e8340...277db8b6 - 241 commits from branch
master
- 5b01f054 - Full support for Vulnerability Webhook events
-
170e8340...277db8b6 - 241 commits from branch
1 Message This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge. Documentation review
The following files require a review from a technical writer:
-
doc/user/project/integrations/webhook_events.md
(Link to current live version)
The review does not need to block merging this merge request. See the:
-
Metadata for the
*.md
files that you've changed. The first few lines of each*.md
file identify the stage and group most closely associated with your docs change. - The Technical Writer assigned for that stage and group.
- Documentation workflows for information on when to assign a merge request for review.
Reviewer roulette
Category Reviewer Maintainer backend @tvellishetty
(UTC+5.5, 5.5 hours behind author)
@mattkasa
(UTC-8, 19 hours behind author)
frontend @fdegier
(UTC+1, 10 hours behind author)
@elwyn-gitlab
(UTC+13, 2 hours ahead of author)
groupimport and integrate (backend) @.luke
(UTC+13, 2 hours ahead of author)
Maintainer review is optional for groupimport and integrate (backend) Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.
If needed, you can retry the
danger-review
job that generated this comment.Generated by
DangerEdited by ****-
added 1 commit
- 1c7231d1 - Full support for Vulnerability Webhook events
requested review from @bwill
removed review request for @bwill
added 275 commits
-
1c7231d1...60697c42 - 274 commits from branch
master
- 2bc58d55 - Full support for Vulnerability Webhook events
-
1c7231d1...60697c42 - 274 commits from branch
added 1 commit
- 7aa77034 - Full support for Vulnerability Webhook events
added 1 commit
- 1a366426 - Full support for Vulnerability Webhook events
added pipeline:mr-approved label
added pipelinetier-3 pipeline:run-e2e-omnibus-once labels
E2E Test Result Summary
allure-report-publisher
generated test report!e2e-test-on-gdk:
test report for 1a366426expand test summary
+------------------------------------------------------------------+ | suites summary | +-------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +-------------+--------+--------+---------+-------+-------+--------+ | Govern | 80 | 0 | 12 | 0 | 92 | ✅ | | Plan | 82 | 0 | 8 | 0 | 90 | ✅ | | Create | 135 | 0 | 20 | 0 | 155 | ✅ | | Verify | 50 | 0 | 16 | 0 | 66 | ✅ | | Package | 25 | 0 | 13 | 0 | 38 | ✅ | | Fulfillment | 2 | 0 | 7 | 0 | 9 | ✅ | | Secure | 4 | 0 | 3 | 0 | 7 | ✅ | | Release | 5 | 0 | 1 | 0 | 6 | ✅ | | Ai-powered | 0 | 0 | 2 | 0 | 2 | ➖ | | Monitor | 8 | 0 | 12 | 0 | 20 | ✅ | | Manage | 1 | 0 | 9 | 0 | 10 | ✅ | | Analytics | 2 | 0 | 0 | 0 | 2 | ✅ | | Configure | 0 | 0 | 3 | 0 | 3 | ➖ | | Data Stores | 33 | 0 | 10 | 0 | 43 | ✅ | | ModelOps | 0 | 0 | 1 | 0 | 1 | ➖ | | Growth | 0 | 0 | 2 | 0 | 2 | ➖ | +-------------+--------+--------+---------+-------+-------+--------+ | Total | 427 | 0 | 119 | 0 | 546 | ✅ | +-------------+--------+--------+---------+-------+-------+--------+
e2e-test-on-cng:
test report for 1a366426expand test summary
+------------------------------------------------------------------+ | suites summary | +-------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +-------------+--------+--------+---------+-------+-------+--------+ | Verify | 51 | 0 | 15 | 0 | 66 | ✅ | | Create | 140 | 0 | 19 | 0 | 159 | ✅ | | Package | 30 | 0 | 14 | 0 | 44 | ✅ | | Plan | 86 | 0 | 8 | 0 | 94 | ✅ | | Govern | 84 | 0 | 10 | 0 | 94 | ✅ | | Data Stores | 33 | 0 | 10 | 0 | 43 | ✅ | | Manage | 1 | 0 | 9 | 0 | 10 | ✅ | | Fulfillment | 2 | 0 | 7 | 0 | 9 | ✅ | | Monitor | 8 | 0 | 12 | 0 | 20 | ✅ | | Ai-powered | 0 | 0 | 2 | 0 | 2 | ➖ | | Release | 5 | 0 | 1 | 0 | 6 | ✅ | | Secure | 2 | 0 | 5 | 0 | 7 | ✅ | | Analytics | 2 | 0 | 0 | 0 | 2 | ✅ | | Configure | 0 | 0 | 3 | 0 | 3 | ➖ | | Growth | 0 | 0 | 2 | 0 | 2 | ➖ | | ModelOps | 0 | 0 | 1 | 0 | 1 | ➖ | +-------------+--------+--------+---------+-------+-------+--------+ | Total | 444 | 0 | 118 | 0 | 562 | ✅ | +-------------+--------+--------+---------+-------+-------+--------+
Edited by ****started a merge train
mentioned in commit 8c1a11a7
added workflowstaging-canary label
added workflowcanary label and removed workflowstaging-canary label
added workflowstaging label and removed workflowcanary label
added workflowproduction label and removed workflowstaging label
added workflowpost-deploy-db-staging label and removed workflowproduction label
added workflowpost-deploy-db-production label and removed workflowpost-deploy-db-staging label
added releasedcandidate label
mentioned in merge request !177699 (merged)
added releasedpublished label and removed releasedcandidate label
mentioned in issue #499996 (closed)