Don't reuse vulnerability identifiers across projects (!84607) · Merge requests · GitLab.org / GitLab

Dominic Bauer requested to merge 354082-dont-reuse-vulnerability-identifiers-across-projects into master Apr 07, 2022

Similiar to !84160 (merged), not only vulnerability scanner records, but also vulnerability findings are erroneously getting shared between projects.

This is a permission issue, because project owners cannot access their vulnerability findings, as they belong to another project.

Query (postgres.ai):

SELECT 
  "vulnerability_identifiers".* 
FROM 
  "vulnerability_identifiers" 
WHERE 
  "vulnerability_identifiers"."name" = 'Test identifier 1' 
  AND "vulnerability_identifiers"."project_id" = 105 
  AND "vulnerability_identifiers"."external_type" = 'other' 
  AND "vulnerability_identifiers"."external_id" = 'Test identifier 1' 
LIMIT 
  1

 Limit  (cost=0.56..115.13 rows=1 width=159) (actual time=12.174..12.176 rows=0 loops=1)
   Buffers: shared read=4
   I/O Timings: read=12.119 write=0.000
   ->  Index Scan using index_vulnerability_identifiers_on_project_id_and_fingerprint on public.vulnerability_identifiers  (cost=0.56..115.13 rows=1 width=159) (actual time=12.172..12.173 rows=0 loops=1)
         Index Cond: (vulnerability_identifiers.project_id = 105)
         Filter: (((vulnerability_identifiers.name)::text = 'Test identifier 1'::text) AND ((vulnerability_identifiers.external_id)::text = 'Test identifier 1'::text) AND ((vulnerability_identifiers.external_type)::text = 'other'::text))
         Rows Removed by Filter: 0
         Buffers: shared read=4
         I/O Timings: read=12.119 write=0.000

Related to #354082

Edited Apr 12, 2022 by Dominic Bauer

Don't reuse vulnerability identifiers across projects

Merge request reports