Skip to content

DAST evidence no longer appears on the MR widget

Summary

Recent changes to the Secure backend code mean have resulted in the DAST "evidence" no longer being displayed on the GitLab MR. Evidence is important, because it helps a user verify whether or not the vulnerability is a false positive.

Example

In the following screenshot, the Set-Cookie: ... text is an example of the field that is no longer displayed.

dast-evidence

Steps to reproduce

  1. Create a new test project.
  2. Set the contents of .gitlab-ci.yml to the following:
dast:
  script:
    - cp report.json gl-dast-report.json
  artifacts:
    reports:
      dast: gl-dast-report.json
  1. Set the contents of report.json to the following:
{
  "@generated": "Tue, 22 Oct 2019 01:01:55",
  "@version":   "D-2019-09-23",
  "site":       [
    {
      "@host":  "nginx",
      "@name":  "http://nginx",
      "@port":  "80",
      "@ssl":   "false",
      "alerts": []
    }
  ],
  "spider":     {
    "progress": "100",
    "result":   {
      "urlsInScope":    [],
      "urlsIoError":    [],
      "urlsOutOfScope": []
    },
    "state":    "FINISHED"
  }
}
  1. Make sure both files are committed and pushed, and that the master branch has run successfully. The security dashboard should have no errors.
  2. On a new branch, update report.json to the following:
{
  "@generated": "Tue, 22 Oct 2019 01:01:55",
  "@version":   "D-2019-09-23",
  "site":       [
    {
      "@host":  "nginx",
      "@name":  "http://nginx",
      "@port":  "80",
      "@ssl":   "false",
      "alerts": [
          {
          "alert":      "Anti CSRF Tokens Scanner",
          "confidence": "2",
          "count":      "1",
          "cweid":      "352",
          "desc":       "<p>A cross-site request forgery is an attack that involves forcing a victim...</p>",
          "instances":  [
            {
              "attack": "",
              "evidence": "<form action=\"/myform\" method=\"POST\">",
              "method":   "GET",
              "param":    "",
              "uri":      "http://nginx"
            }
          ],
          "name":       "Anti CSRF Tokens Scanner",
          "otherinfo":  "",
          "pluginid":   "20012",
          "reference":  "<p>http://projects.webappsec.org/Cross-Site-Request-Forgery</p>",
          "riskcode":   "3",
          "riskdesc":   "High (Medium)",
          "solution":   "<p>Phase: Architecture and Design</p><p>Use a vetted library or framework ...</p>",
          "sourceid":   "1",
          "wascid":     "9"
        }
      ]
    }
  ],
  "spider":     {
    "progress": "100",
    "result":   {
      "urlsInScope":    [],
      "urlsIoError":    [],
      "urlsOutOfScope": []
    },
    "state":    "FINISHED"
  }
}
  1. Commit and push the branch, create an MR, and wait for the pipeline to run.
  2. The security widget on the MR should contain one new vulnerability for DAST. This vulnerability should be called Anti CSRF Tokens Scanner.
  3. Click on the new vulnerability. On the popup screen, <form action="/myform" method="POST"> should be displayed as the evidence of vulnerability.

What is the current bug behavior?

When clicking on the MR vulnerability, no evidence is displayed.

What is the expected correct behavior?

The evidence should display.

Example

image

Edited by Dheeraj Joshi