Skip to content
Snippets Groups Projects

Add full Webhook event support for Vulnerabilities

All threads resolved!

What does this MR do and why?

This MR will add full Webhook event support for Vulnerabilities by extending the work from Add vulnerabilities as supported webhook events... (!169701 - merged). It covers sending a webhook event when:

  • A Vulnerability is manually:

    • Created
    • Updated
  • A Vulnerability is programmatically (e.g. via CI):

    • Created
    • Updated (need to confirm)
  • An Issue linking to a Vulnerability is:

    • Created

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screen recording

Kapture_2025-01-08_at_15.55.59.h264

JSON webhook event example

{
  "object_kind": "vulnerability",
  "object_attributes": {
    "url": "https://example.com/flightjs/Flight/-/security/vulnerabilities/1",
    "title": "REXML DoS vulnerability",
    "state": "confirmed",
    "project_id": 50,
    "location": {
      "file": "Gemfile.lock",
      "dependency": {
        "package": {
          "name": "rexml"
        },
        "version": "3.3.1"
      }
    },
    "cvss": [
      {
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "vendor": "NVD"
      }
    ],
    "severity": "high",
    "severity_overridden": false,
    "identifiers": [
      {
        "name": "Gemnasium-29dce398-220a-4315-8c84-16cd8b6d9b05",
        "external_id": "29dce398-220a-4315-8c84-16cd8b6d9b05",
        "external_type": "gemnasium",
        "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/rexml/CVE-2024-41123.yml"
      },
      {
        "name": "CVE-2024-41123",
        "external_id": "CVE-2024-41123",
        "external_type": "cve",
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41123"
      }
    ],
    "issues": [
      {
        "title": "REXML ReDoS vulnerability",
        "url": "https://example.com/flightjs/Flight/-/issues/1",
        "created_at": "2025-01-08T00:46:14.429Z",
        "updated_at": "2025-01-08T00:46:14.429Z"
      }
    ],
    "report_type": "dependency_scanning",
    "confidence": "unknown",
    "confidence_overridden": false,
    "confirmed_at": "2025-01-08T00:46:14.413Z",
    "confirmed_by_id": 1,
    "dismissed_at": null,
    "dismissed_by_id": null,
    "resolved_on_default_branch": false,
    "created_at": "2025-01-08T00:46:14.413Z",
    "updated_at": "2025-01-08T00:46:14.413Z"
  }
}

How to set up and validate locally

Prep work

  1. Ensure you have Docker running on your machine.
  2. Run the following to start up an instance of request basket docker run --pull always --rm -ti -p 1234:55555 darklynx/request-baskets.
  3. In a new tab, visit http://localhost:1234/web, click 'Create' and then 'Open Basket'.
  4. Copy into your clipboard the URL listed as part of This basket is empty, send requests to http://localhost:1234/<basket> and they will appear here..

GDK

  1. In a new tab, bring up your GDK, ensuringe you have an EE license configured.
  2. Create a new Project, calling it vulnerabilities-webhook-events.
  3. Visit Settings > Webhooks and click 'Add a new webhook'.
  4. In the 'URL' field, enter the URL obtained from Prep work step 4.
  5. Scroll down until you see 'Vulnerability events' and check the box.
  6. Uncheck the 'Enable SSL verification' checkbox unless you have HTTPS configured for your GDK and click 'Add webhook'.

Test 'Vulnerability events' from Webhook settings

  1. From the Webhook list, click the 'Test' button and select 'Vulnerability events'.
  2. Go back to your 'request basket' tab and you should see an event in JSON format.

Related to #366770 (closed)

Edited by Ash McKenzie

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
Please register or sign in to reply
Loading