Skip to content

Respond with finding UUID when creating Starboard vulnerability

Dominic Bauer requested to merge 345905-cluster-image-scanning-vulnerability-resolution-uuid-response into master

What does this MR do and why?

Makes the Create Starboard vulnerability internal API endpoint respond with the newly created vulnerability finding UUID.

Required to implement Cluster image scanning vulnerability resolution.

Screenshots or screen recordings

n/a

How to set up and validate locally

  1. Create a JWT:
JWT.encode({ 'iss' => Gitlab::Kas::JWT_ISSUER }, Gitlab::Kas.secret, 'HS256')

  1. Create a fresh project.

  2. Create an agent and accompanying token:

agent = Project.last.cluster_agents.create(name: "test", created_by_user: User.find(1))
token = agent.agent_tokens.create(name: "test", created_by_user: User.find(1))
token.token
4. Create ./body.json 
{
  "vulnerability": {
    "category": "cluster_image_scanning",
    "name": "CVE-2030-9273",
    "message": "CVE-2030-9273 in Flowdesk",
    "description": "You can't navigate the capacitor without calculating the wireless SMTP driver!",
    "cve": "CVE-2030-9273",
    "severity": "Low",
    "confidence": "High",
    "solution": "If we quantify the alarm, we can get to the EXE program through the back-end SCSI microchip!",
    "scanner": {
      "id": "starboard_trivy",
      "name": "Trivy (via Starboard Operator)"
    },
    "location": {
      "dependency": {
        "package": {
          "name": "Bitchip"
        },
        "version": "0.62"
      },
      "image": "http://wisoky.io/image:latest",
      "kubernetes_resource": {
        "namespace": "aut",
        "kind": "pod",
        "name": "mtkfirkstw",
        "container_name": "spfsbzwrrx",
        "agent_id": "jiccusfqbu"
      }
    },
    "identifiers": [
      {
        "type": "cve",
        "name": "CVE-2030-9273",
        "value": "CVE-2030-9273",
        "url": "http://wilkinson-beier.name/elisha.gorczany"
      }
    ],
    "links": [
      "http://bins.com/zona",
      "http://morar.name/juliana_lakin",
      "http://murazik.info/kamilah_haag"
    ]
  },
  "scanner": {
    "id": "starboard-trivy",
    "name": "Trivy (via Starboard Operator)",
    "url": "https://github.com/aquasecurity/trivy",
    "vendor": {
      "name": "GitLab"
    }
  }
}
  1. Create a Starboard vulnerability and verify the response body contains the finding UUID.
curl --request PUT --header "Gitlab-Kas-Api-Request: <JWT token>" \
     --header "Authorization: Bearer <agent token>" --header "Content-Type: application/json" \
     --url "http://gdk.test:3000/api/v4/internal/kubernetes/modules/starboard_vulnerability" \
     --data @body.json

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #345905 (closed)

Edited by Dominic Bauer

Merge request reports