Skip to content

Query existing vulnerability by UUID in internal Starboard vulnerability API

Dominic Bauer requested to merge 345905-cluster-image-scanning-vulnerability-resolution-fix-create-starboard-endpoint into master

What does this MR do and why?

Rectifies a regression introduced in !79208 (merged): The Create Starboard Vulnerability internal API endpoint raises when it receives the same payload more than once.

How to set up and validate locally

  1. Create a JWT:
JWT.encode({ 'iss' => Gitlab::Kas::JWT_ISSUER }, Gitlab::Kas.secret, 'HS256')

  1. Create a fresh project.

  2. Create an agent and accompanying token:

agent = Project.last.cluster_agents.create(name: "test", created_by_user: User.find(1))
token = agent.agent_tokens.create(name: "test", created_by_user: User.find(1))
token.token
  1. Throw the same vulnerability payload against the API endpoint. On master, the second request is answered with 500.

./vuln.json 
{
  "vulnerability": {
    "category": "cluster_image_scanning",
    "name": "CVE-2012-1111",
    "message": "CVE-2012-9579 in Alpha",
    "description": "If we reboot the microchip, we can get to the HTTP feed through the haptic SAS transmitter!",
    "cve": "CVE-2012-9579",
    "severity": "low",
    "confidence": "low",
    "solution": "Try to program the SMTP bus, maybe it will index the back-end alarm!",
    "scanner": {
      "id": "starboard_trivy",
      "name": "Trivy (via Starboard Operator)"
    },
    "location": {
      "dependency": {
        "package": {
          "name": "Zamit"
        },
        "version": "0.72"
      },
      "image": "http://altenwerth-gislason.biz/image:latest",
      "kubernetes_resource": {
        "namespace": "commodi",
        "kind": "pod",
        "name": "jpzlsnxepu",
        "container_name": "zwvjljycyb",
        "agent_id": "rvxwobxjzz"
      }
    },
    "identifiers": [
      {
        "type": "cve",
        "name": "CVE-2012-9579",
        "value": "CVE-2012-9579",
        "url": "http://brown-kunze.com/glen.kassulke"
      }
    ],
    "links": [
      "http://wiegand.io/merry.stark"
    ]
  },
  "scanner": {
    "id": "starboard-trivy",
    "name": "Trivy (via Starboard Operator)",
    "url": "https://github.com/aquasecurity/trivy",
    "vendor": {
      "name": "GitLab"
    }
  }
}

curl --request PUT --header "Gitlab-Kas-Api-Request: $KAS_JWT" \
    --header "Authorization: Bearer $AGENT_TOKEN" --header "Content-Type: application/json" \
    --url "http://gdk.test:3000/api/v4/internal/kubernetes/modules/starboard_vulnerability" \
    -d @vuln.json

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #345905 (closed)

Edited by Dominic Bauer

Merge request reports