Draft: Adds security report details field rendering
Note
This MR is part of the discussions and work around a proposal to create generic security reports:
- BrownBag Session: Restructure Security Report Schemas: Proof of Concept
- gitlab-org/gitlab - Draft: Adds generic security report type (created for the BrownBag). Split into:
- security-report-schemas - Draft: Adds generic security report schema (created for the BrownBag)
What does this MR do?
This MR is the details
field rendering portion of this proof-of-concept MR: !41195 (closed)
This MR adds support for rendering a recursively-typed details
field in a vulnerability finding's raw_metadata
. Supported typed field types are:
named-list
list
table
url
int
text
diff
-
markdown
(GFM) code
commit
file-location
module-location
The details field matches the schema in this security-report-schemas MR: TODO
This MR still needs:
-
Tests -
Documentation -
Gracefully handle unexpected field types
Screenshots
`gl-sast-report.json` used for the screenshots above
{
"version": "2.3",
"vulnerabilities": [
{
"category": "sast",
"name": "Predictable pseudorandom number generator",
"message": "Predictable pseudorandom number generator",
"description": "This random generator (java.util.Random) is predictable",
"cve": "BLAH:PREDICTABLE_RANDOM:groovy/src/main/groovy/com/gitlab/security_products/tests/App.groovy:47",
"severity": "Critical",
"confidence": "Medium",
"scanner": {
"id": "custom scanner",
"name": "Custom Scanner"
},
"location": {
"file": "new_file2.c",
"start_line": 100,
"end_line": 100,
"class": "",
"method": "main",
"dependency": {
"package": {}
}
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-PREDICTABLE_RANDOM",
"value": "PREDICTABLE_RANDOM",
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM"
},
{
"type": "cwe",
"name": "CWE-330",
"value": "330",
"url": "https://cwe.mitre.org/data/definitions/330.html"
}
],
"details": {
"commit": {
"name": [ { "lang": "en", "value": "The Commit" } ],
"description": [ { "lang": "en", "value": "Commit where the vulnerability was identified" } ],
"type": "commit",
"value": "41df7b7eb3be2b5be2c406c2f6d28cd6631eeb19"
},
"marked_up": {
"name": [ { "lang": "en", "value": "Marked Data" } ],
"description": [ { "lang": "en", "value": "GFM-flavored markdown" } ],
"type": "markdown",
"value": [ { "lang": "en", "value": "Here is markdown `inline code` #1 [test](gitlab.com)\n\n![GitLab Logo](https://about.gitlab.com/images/press/logo/preview/gitlab-logo-white-preview.png)" } ]
},
"diff": {
"name": [ { "lang": "en", "value": "Modified data" } ],
"description": [ { "lang": "en", "value": "How the data was modified" } ],
"type": "diff",
"before": "Hello there\nHello world\nhello again",
"after": "Hello there\nHello Wooorld\nanew line\nhello again\nhello again"
},
"table_data": {
"name": [ { "lang": "en", "value": "Registers" } ],
"type": "table",
"header": [
{ "type": "text", "value": [ { "lang": "en", "value": "Register" } ] },
{ "type": "text", "value": [ { "lang": "en", "value": "Value" } ] },
{ "type": "text", "value": [ { "lang": "en", "value": "Note" } ] }
],
"rows": [
[
{ "type": "text", "value": [ { "lang": "en", "value": "eax" } ] },
{ "type": "int", "value": 1336, "format": "hex" },
{ "type": "text", "value": [ { "lang": "en", "value": "A note for eax" } ] }
],
[
{ "type": "text", "value": [ { "lang": "en", "value": "ebx" } ] },
{ "type": "int", "value": 1337, "format": "hex" },
{ "type": "text", "value": [ { "lang": "en", "value": "A note for ebx" } ] }
],
[
{ "type": "text", "value": [ { "lang": "en", "value": "ecx" } ] },
{ "type": "int", "value": 1338, "format": "hex" },
{ "type": "text", "value": [ { "lang": "en", "value": "A note for ecx" } ] }
],
[
{ "type": "text", "value": [ { "lang": "en", "value": "edx" } ] },
{ "type": "int", "value": 1339, "format": "hex" },
{ "type": "text", "value": [ { "lang": "en", "value": "A note for edx" } ] }
]
]
},
"urls": {
"name": [
{ "lang": "en", "value": "URLs" },
{ "lang": "nl", "value": "DUTCH URLs" }
],
"description": [ { "lang": "en", "value": "The list of URLs in this report" } ],
"type": "list",
"items": [
{ "type": "url", "href": "https://gitlab.com" },
{ "type": "url", "href": "https://gitlab.com" },
{ "type": "url", "href": "https://gitlab.com" }
]
},
"description": {
"name": [ { "lang": "en", "value": "Description" } ],
"description": [ { "lang": "en", "value": "The actual description of the description" } ],
"type": "text",
"value": [ { "lang": "en", "value": "Text value" } ]
},
"code_block": {
"name": [ { "lang": "en", "value": "Code Block" } ],
"type": "code",
"value": "Here\nis\ncode"
},
"a_named_list": {
"name": [ { "lang": "en", "value": "A Named List" } ],
"type": "named-list",
"items": {
"field1": {
"name": [ { "lang": "en", "value": "Field 1" } ],
"description": [ { "lang": "en", "value": "The description for field 1" } ],
"type": "text",
"value": [ { "lang": "en", "value": "Text" } ]
},
"field2": {
"name": [ { "lang": "en", "value": "Field 2" } ],
"description": [ { "lang": "en", "value": "The description for field 2" } ],
"type": "text",
"value": [ { "lang": "en", "value": "Text" } ]
},
"nested_ints": {
"name": [ { "lang": "en", "value": "Nested Ints" } ],
"type": "list",
"items": [
{ "type": "int", "value": 1337, "format": "default" },
{ "type": "int", "value": 1337, "format": "hex" }
]
}
}
},
"location1": {
"name": [ { "lang": "en", "value": "Location 1" } ],
"description": [ { "lang": "en", "value": "The first location" } ],
"type": "file-location",
"file_name": "new_file.c",
"line_start": 5,
"line_end": 6
}
}
}
],
"remediations": []
}
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Closes #233168 (closed)
Edited by James Johnson