Integrate CWE information into gosec reports
What does this MR do?
This MR improves the vulnerability descriptions from the gosec analyser discussed in this issue.
This MR relies on two things
- A recent version of
gosec
that includes our patch https://github.com/securego/gosec/issues/368. This patch links every gosec rule to its corresponding CWE. The mappings have been double-checked by the gosec authors. - Our go package
cwe-info-go
(https://gitlab.com/gitlab-org/security-products/cwe-info-go). This is a go package generated from data contained incwe-info
. It contains relevant CWE data (ID, Title, Description, Solution/Mitigation) which we leverage to show better vulnerability descriptions.
What are the relevant issue numbers?
gitlab-org/gitlab#14940 (comment 215635208)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Julian Thome