Skip to content

Populate cve column in pm_advisories at ingestion

Yasha Riserequested to merge
510321-populate-cve-column-at-ingestion into master

What does this MR do and why?

A new cve column is to be added to the pm_advisories table to support querying of CVE entries. This MR implements population of the cve column in pm_advisories when ingesting data from PMDB.

Related to #510321 (closed)

Testing

Tested by running:

worker = PackageMetadata::AdvisoriesSyncWorker.new
worker.perform

Results:

gitlabhq_development=# select id, title, cve from pm_advisories limit 20;
  id   |                                        title                                         |      cve
-------+--------------------------------------------------------------------------------------+----------------
 14990 | Incorrect Permission Assignment for Critical Resource                                | CVE-2017-6928
 14991 | Blind XSS Leading to Froxlor Application Compromise                                  | CVE-2024-34070
 14992 | Cross-site Scripting                                                                 | CVE-2021-32470
 14993 | Improper Control of Generation of Code ('Code Injection')                            | CVE-2023-32692
 14994 | Improper Control of Generation of Code ('Code Injection')                            | CVE-2023-32692
 14995 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | CVE-2023-3083
 15517 | Code Injection                                                                       |
 14996 | SQL Injection                                                                        |
 14997 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | CVE-2023-3086
 14998 | Improper Access Control                                                              | CVE-2023-3095
 14999 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | CVE-2023-37611
 15000 | Improper Access Control                                                              | CVE-2024-22407
 15001 | Observable Discrepancy                                                               | CVE-2020-9588
 16380 | Cross-site Scripting                                                                 |
 15002 | Improper Input Validation                                                            | CVE-2023-22730
 15003 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | CVE-2023-2518
 15004 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | CVE-2023-3191
 15005 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')       | CVE-2023-3172
 15006 | Session Fixation                                                                     | CVE-2023-3192
 15007 | Improper Restriction of Excessive Authentication Attempts                            | CVE-2023-3173

CVE field is populated as expected!

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Related to #510321 (closed)

Edited by Yasha Rise

Merge request reports