[RUN AS-IF-FOSS] Add option to send slack notifications when a new vulnerability is detected
What does this MR do?
Add option to send slack notifications when a new vulnerability is detected
Related to #334951 (closed)
Screenshots (strongly suggested)
Testing locally
-
Create a project, with a file named
gl-dependency-scanning-report.json
with the following content{ "version": "2.4", "vulnerabilities": [ { "id": "566894f5b08c7d540fc523535577f28d26b1a323b3827d65b7d2d04d28c30897", "category": "dependency_scanning", "name": "Exposure of Resource to Wrong Sphere CVE-2021-22897", "message": "Exposure of Resource to Wrong Sphere in haxx/curl CVE-2021-22897", "cve": "builds/gitlab-org/omnibus-gitlab/version-manifest.json:haxx/curl:cve:CVE-2021-22897", "severity": "Unknown", "scanner": { "id": "gitlab-depscan", "name": "GitLab Depscan" }, "location": { "file": "builds/gitlab-org/omnibus-gitlab/version-manifest.json", "dependency": { "package": { "name": "haxx/curl" }, "version": "7.74.0" } }, "identifiers": [ { "type": "cve", "name": "CVE-2021-22897", "value": "CVE-2021-22897", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22897" } ], "links": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22897" } ] } ], "remediations": [] }
-
Configure CI using the following configuration
dependency_scanning: stage: test script: - echo "Running Dependency Scanning" artifacts: reports: dependency_scanning: gl-dependency-scanning-report.json paths: - gl-dependency-scanning-report.json
-
Configure Slack integration for Vulnerabilities
-
Run a pipeline
-
If you need to test again, edit the security report file, do a find-and-replce-all of
897
with some three other digits.
Does this MR meet the acceptance criteria?
Conformity
-
I have included changelog trailers, or none are needed. (Does this MR need a changelog?) -
I have added/updated documentation, or it's not needed. (Is documentation required?) -
I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?) -
I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?) -
I have self-reviewed this MR per code review guidelines. -
This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines) -
I have followed the style guides. -
This change is backwards compatible across updates, or this does not apply.
Availability and Testing
-
I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.) -
I have tested this MR in all supported browsers, or it's not needed. -
I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.
Edited by Balasankar 'Balu' C