Improve Vulnerability Tracking: Use Signatures [RUN ALL RSPEC] [RUN AS-IF-FOSS]
This MR is the GitLab second part of the backend implementation of the proof-of-concept MR: !45339 (closed) and is part of the epic https://gitlab.com/groups/gitlab-org/-/epics/4690 - Improve Vulnerability Tracking: MVP: Scope+Offset
Feature flag vulnerability_finding_tracking_signatures
rollout issue: #322044 (closed)
What does this MR do?
This merge request uses the vulnerability finding signatures (previously `fingerprints) stored in the database (added in the dependent MR !55173 (merged)) to compare/deduplicate vulnerability signatures.
High-Level Details
This is done by:
- Using the signatures stored in the
vulnerability_finding_signatures
table (DB MR: !52720 (merged), Store Signatures MR: !55173 (merged))- Enables one-to-many relationships between findings and signatures
- These signatures are added from the
tracking
field in the security report (schema MR: gitlab-org/security-products/security-report-schemas!69 (merged))
- Comparing signatures of two vulnerability findings in order of decreasing priority
- Updating existing feedback signature values that match a signature to use the latest, highest priority signature
Technical Details
Below are a few scenarios that are expected to occur when comparing vulnerability signatures using prioritized signatures.
Each tracking signature method has a priority defined in the GitLab backend. Vulnerabilities with matching tracking signatures are compared in descending order.
One Matching Lower-Priority Signature (expand me)
In this example Vuln1
's Algorithm:hash
tracking signature below is the
only match with any of Vuln2
's tracking signatures. Since this is the first
(and only) match, they are considered the same vulnerability.
graph LR
subgraph Vuln1
subgraph signature11[signature1]
priority11["Priority:2"]
algorithm_type11["Algorithm:scope_offset"]
value11["AAAA"]
end
subgraph signature12[signature2]
priority12["Priority:1"]
algorithm_type12["Algorithm:hash"]
value12["XXXX"]
end
end
subgraph Vuln2
subgraph signature22[signature2]
priority22["Priority:1"]
algorithm_type22["Algorithm:hash"]
value22["XXXX"]
end
end
priority12 -->|matches| priority22
algorithm_type12 -->|matches| algorithm_type22
value12 -->|matches| value22
classDef green fill:#9f9,stroke-width:4px,font-weight:bold;
classDef red fill:#f9f,stroke:#333,stroke-width:4px;
class signature22 green
class signature12 green
Two Matching Signatures (expand me)
In this next example, Vuln1
and Vuln2
have several matching signatures.
However, the first and highest priority (most accurate) match is with the
Algorithm::scope_offset
tracking signature:
graph LR
subgraph Vuln1
subgraph signature11[signature1]
priority11["Priority:2"]
algorithm_type11["Algorithm:scope_offset"]
value11["AAAA"]
end
subgraph signature12[signature2]
priority12["Priority:1"]
algorithm_type12["Algorithm:hash"]
value12["XXXX"]
end
end
subgraph Vuln2
subgraph signature21[signature1]
priority21["Priority:2"]
algorithm_type21["Algorithm:scope_offset"]
value21["AAAA"]
end
subgraph signature22[signature2]
priority22["Priority:1"]
algorithm_type22["Algorithm:hash"]
value22["XXXX"]
end
end
priority11-->|matches| priority21
algorithm_type11 -->|matches| algorithm_type21
value11 -->|matches| value21
priority12-.->|matches| priority22
algorithm_type12 -.->|matches| algorithm_type22
value12 -.->|matches| value22
classDef green fill:#9f9,stroke-width:4px,font-weight:bold;
classDef red fill:#f9f,stroke:#333,stroke-width:4px;
class signature11 green
class signature21 green
Non-Matching High Priority Signatures (expand me)
Prioritized tracking signatures are also used to disprove matches. In the
example below, Vuln1
and Vuln2
both have matching low-priority
Algorithm:hash
signatures, but the high-priority Algorithm:scope_offset
tracking signatures do not match
graph LR
subgraph Vuln1
subgraph signature11[signature1]
priority11["Priority:2"]
algorithm_type11["Algorithm:scope_offset"]
value11["AAAA"]
end
subgraph signature12[signature2]
priority12["Priority:1"]
algorithm_type12["Algorithm:hash"]
value12["XXXX"]
end
end
subgraph Vuln2
subgraph signature21[signature1]
priority21["Priority:2"]
algorithm_type21["Algorithm:scope_offset"]
value21["BBBB"]
end
subgraph signature22[signature2]
priority22["Priority:1"]
algorithm_type22["Algorithm:hash"]
value22["XXXX"]
end
end
priority11-->|"✗"| priority21
algorithm_type11 -->|"✗"| algorithm_type21
value11 -->|"✗"| value21
priority12-.->|matches| priority22
algorithm_type12 -.->|matches| algorithm_type22
value12 -.->|matches| value22
classDef green fill:#9f9,stroke-width:4px,font-weight:bold;
classDef red fill:#f99,stroke-width:4px,font-weight:bold;
class signature11 red
class signature21 red
Notes
The changes in this MR are intended to be gated by a feature flag to make testing/rolling out this new feature easier.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team