Aggregate noisy DAST vulnerabilities
What does this MR do?
Some vulnerabilities are noisy so this MR adds the command line option --aggregate-vulnerabilities
to allow those noisy vulnerabilities to be aggregated in the gl-dast-report.json
.
This feature is only enabled using the undocumented options because, to complete the issue, DAST must use the details field defined in the security reports schema, however that won't be defined until gitlab-org/gitlab#277119 (closed), so we're adding the logic hear that be easily be edited to conform to the schema in a follow-up MR.
Applying the --aggregate-vulnerabilities
will result in a details
field being added to the aggregated vulnerabilities
object.
vulnerabilities:[
{
"category": "dast",
"confidence": "High",
"cve": "10036",
+ "details": [
+ {
+ "url": "http://nginx"
+ },
+ {
+ "url": "http://nginx/"
+ },
+ {
+ "url": "http://nginx/robots.txt"
+ },
+ {
+ "url": "http://nginx/sitemap.xml"
+ },
+ {
+ "url": "http://nginx/myform"
+ }
+ ],
"description": "",
"evidence": {},
"id": "9e83754e-0cd2-4799-8362-941ee24a36c7",
"identifiers": [],
"links": [],
"location": {
"hostname": "http://nginx",
"method": "GET",
"param": "",
"path": ""
},
"message": "",
"scanner": {},
"severity": "Low",
"solution": ""
},
]
Implementation plan:
-
List URLs in details tag -
Aggregated vulnerabilities should have an empty location
What are the relevant issue numbers?
This MR is related to gitlab-org/gitlab#254043 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Job definition example -
Vendored CI Templates (also in CE)
-
-
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Craig Smith