Use fingerprint when comparing security reports in MR widget
What does this MR do?
We recently moved our security report comparison logic from FE to BE. We do comparison between head and base reports in MR widget and present added
, fixed
, existing
vulnerability information. General order of things are as follows (background info)
We need to be able do identify each vulnerability so that we can compare them accurately. That comparison logic is in occurrence.rb
module Vulnerabilities
class Occurrence < ApplicationRecord
def eql?(other)
other.report_type == report_type &&
other.location == location &&
other.first_fingerprint == first_fingerprint
end
# Array.difference (-) method uses hash and eql? methods to do comparison
def hash
report_type.hash ^ location_fingerprint.hash ^ first_fingerprint.hash
end
end
However, instead of location we should use something called fingerprint_data
fingerprint_data provides unique hash and it is calculated depending on report type. It is calculated in PRO. Here some examples;
this MR uses fingerprint_data
instead of location to increase accuracy of the comparison
Related Issue
Screenshots
As you can see we have same vulnerabilities but they are presented like they are different because their location
field as follows
in added
field (omitted other fields of the vulnerability) CVE-2018-20843
location: {
image: "registry.gitlab.com/fjdiaz/simply-simple-notes/add-view-note-feature:97ac71c2944ba60f3b6563fa8a3247075eac1f7b",
operating_system: "alpine:v3.7",
dependency: {
package: {
name: "expat"
},
version: "2.2.5-r0"
}
}
in fixed
field (omitted other fields of the vulnerability) CVE-2018-20843
location: {
image: "registry.gitlab.com/fjdiaz/simply-simple-notes/master:4d4c8322b152ff0e28201b202c3ef2143505d37a",
operating_system: "alpine:v3.7",
dependency: {
package: {
name: "expat"
},
version: "2.2.5-r0"
}
}
we should only consider package and operating system like it is calculated here.
Does this MR meet the acceptance criteria?
Comparison is more accurately done. Same vulnerabilities won't appear in different fields like in above image