Use fingerprint when comparing security reports in MR widget (!19654) · Merge requests · GitLab.org / GitLab

Can Eldem requested to merge consider-location-fingerprint-in-mr-widget into master Nov 05, 2019

What does this MR do?

We recently moved our security report comparison logic from FE to BE. We do comparison between head and base reports in MR widget and present added, fixed , existing vulnerability information. General order of things are as follows (background info)

We need to be able do identify each vulnerability so that we can compare them accurately. That comparison logic is in occurrence.rb

module Vulnerabilities
  class Occurrence < ApplicationRecord 
    def eql?(other)
      other.report_type == report_type &&
        other.location  == location &&
        other.first_fingerprint == first_fingerprint
    end

    # Array.difference (-) method uses hash and eql? methods to do comparison
    def hash
      report_type.hash ^ location_fingerprint.hash ^ first_fingerprint.hash
    end
end

However, instead of location we should use something called fingerprint_data fingerprint_data provides unique hash and it is calculated depending on report type. It is calculated in PRO. Here some examples;

https://gitlab.com/gitlab-org/gitlab/blob/master/ee/lib/gitlab/ci/reports/security/locations/base.rb#L15-19

https://gitlab.com/gitlab-org/gitlab/blob/master/ee%2Flib%2Fgitlab%2Fci%2Freports%2Fsecurity%2Flocations%2Fcontainer_scanning.rb#L23-25

https://gitlab.com/gitlab-org/gitlab/blob/master/ee/lib/gitlab/ci/reports/security/locations/dependency_scanning.rb#L21-23

this MR uses fingerprint_data instead of location to increase accuracy of the comparison

Related Issue

#35653 (closed)

Screenshots

As you can see we have same vulnerabilities but they are presented like they are different because their location field as follows

in added field (omitted other fields of the vulnerability) CVE-2018-20843

location: {
image: "registry.gitlab.com/fjdiaz/simply-simple-notes/add-view-note-feature:97ac71c2944ba60f3b6563fa8a3247075eac1f7b",
operating_system: "alpine:v3.7",
dependency: {
   package: {
     name: "expat"
   },
version: "2.2.5-r0"
}
}

in fixed field (omitted other fields of the vulnerability) CVE-2018-20843

location: {
image: "registry.gitlab.com/fjdiaz/simply-simple-notes/master:4d4c8322b152ff0e28201b202c3ef2143505d37a",
operating_system: "alpine:v3.7",
dependency: {
  package: {
  name: "expat"
  },
version: "2.2.5-r0"
}
}

we should only consider package and operating system like it is calculated here.

Does this MR meet the acceptance criteria?

Comparison is more accurately done. Same vulnerabilities won't appear in different fields like in above image

Conformity

Edited Nov 06, 2019 by Can Eldem

Use fingerprint when comparing security reports in MR widget

What does this MR do?

Related Issue

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Merge request reports