Integrate CWE information into gosec reports
This MR applies the same changes as !22 (closed). Just opened up a fresh MR based on a branchname without /
so that the tag
job does not fail anymore.
!22 (closed):
Description fromWhat does this MR do?
This MR improves the vulnerability descriptions from the gosec analyser discussed in this issue.
This MR relies on two things
- A recent version of
gosec
that includes our patch https://github.com/securego/gosec/issues/368. This patch links every gosec rule to its corresponding CWE. The mappings have been double-checked by the gosec authors. - Our go package
cwe-info-go
(https://gitlab.com/gitlab-org/security-products/cwe-info-go). This is a go package generated from data contained incwe-info
. It contains relevant CWE data (ID, Title, Description, Solution/Mitigation) which we leverage to show better vulnerability descriptions.
What are the relevant issue numbers?
gitlab-org/gitlab#14940 (comment 215635208)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Lucas Charles