Skip to content

Add cve_id method to CveIssue

Steve Abrams requested to merge delivery19665-cve-id into master

What does this MR do and why?

Adds a method to fetch the CVE ID from the CVES issue notes. This logic is mostly copied from the security-release-tools project: https://gitlab.com/gitlab-com/gl-security/appsec/tooling/security-release-tools/-/blob/73ba5dc6226e78489e7aef0d0035d322ac211cec/scripts/utils.rb#L210-224. This id is what we use to cross-link to the vulnerability as listed in https://cve.mitre.org/.

While fetching this value from the notes is not the most efficient and reliable way to store the value, we are not looking to change the existing process during this iteration, but just add this functionality to our tooling as we work to combine the security and patch blog posts in gitlab-com/gl-infra&1073 (closed).

I used a VCR cassette to record and test the API request. It is requesting from this issue, which is public: cves#759 (closed). I've cleaned the VCR specifics to remove any authentication information and also updated the IDs used in the VCR cassette. For extra safety, the PAT I used when making this request (you have to be authenticated for this API even though it is a public issue) has already been revoked. For reference, this is the API endpoint it recorded: https://gitlab.com/api/v4/projects/18741849/issues/759/notes.

Related to gitlab-com/gl-infra/delivery#19665 (closed)

Local testing

I also tested this in the console. Note all of the IDs and information below have been sanitized to not release any real security information:

RELEASE_BOT_PRODUCTION_TOKEN=REDACTED be pry --gem
[1] pry(main)> cve_project_id = 12345
[2] pry(main)> issue = ReleaseTools::GitlabClient.issues(cve_project_id).first
2023-09-25 19:42:48.693643 D ReleaseTools::GitlabClient -- [HTTParty] [2023-09-25 19:42:48 -0600] 200 "GET https://gitlab.com/api/v4/projects/12345/issues" -
=> #<Gitlab::ObjectifiedHash........
[3] pry(main)> cve_issue = ReleaseTools::Security::CvesIssue.new(issue)
=> #<ReleaseTools::Security::CvesIssue:.....
[4] pry(main)> cve_issue.cve_id
2023-09-25 19:43:21.792146 D ReleaseTools::GitlabClient -- [HTTParty] [2023-09-25 19:43:21 -0600] 200 "GET https://gitlab.com/api/v4/projects/12345/issues/1/notes" -
=> "CVE-2222-1111"

Author Check-list

  • [-] Has documentation been updated?
Edited by Steve Abrams

Merge request reports