fix(vuln): GitLab report template #2578

thiago-gitlab · 2022-07-25T01:30:48Z

Description

Upgrade to schema 14.0.6 (https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v14.0.6/dist/container-scanning-report-format.json).
Drop unsupported confidence property. Currently optional and will be removed by GitLab in schema 15-0-0.

I've generated a test report using:

trivy image --exit-code 0 --security-checks vuln --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json webgoat/webgoat-8.0:latest

And I've validated locally:

Thiagos-MacBook-Pro:tmp thiago$ ruby validate.rb container-scanning-report-format_14-0-6.json ~/repos/aquasecurity/trivy/gl-container-scanning-report.json
property '/vulnerabilities/8/identifiers/0/url' does not match format: uri
property '/vulnerabilities/11/identifiers/0/url' does not match format: uri
property '/vulnerabilities/140/links/4/url' does not match format: uri
property '/vulnerabilities/140/links/5/url' does not match format: uri
property '/vulnerabilities/140/links/6/url' does not match format: uri
property '/vulnerabilities/147/links/6/url' does not match format: uri
property '/vulnerabilities/147/links/7/url' does not match format: uri
property '/vulnerabilities/148/links/21/url' does not match format: uri
property '/vulnerabilities/148/links/22/url' does not match format: uri
property '/vulnerabilities/177/identifiers/0/url' does not match format: uri
property '/vulnerabilities/267/identifiers/0/url' does not match format: uri
property '/vulnerabilities/317/links/22/url' does not match format: uri
property '/vulnerabilities/331/links/4/url' does not match format: uri
property '/vulnerabilities/354/links/4/url' does not match format: uri
property '/vulnerabilities/443/links/22/url' does not match format: uri
property '/vulnerabilities/469/identifiers/0/url' does not match format: uri
property '/vulnerabilities/470/identifiers/0/url' does not match format: uri
property '/vulnerabilities/471/identifiers/0/url' does not match format: uri
property '/vulnerabilities/472/identifiers/0/url' does not match format: uri
property '/vulnerabilities/473/identifiers/0/url' does not match format: uri
property '/vulnerabilities/474/identifiers/0/url' does not match format: uri
property '/vulnerabilities/486/links/3/url' does not match format: uri

The errors above are because:

Some Debian advisories are missing the url

      "identifiers": [
        {
          "type": "cve",
          "name": "DLA-2424-1",
          "value": "DLA-2424-1",
          "url": ""
        }
      ],

Malformed URLs. E.g.: "https://gitlab.freedesktop.org/dbus/dbus/-/commit/2b7948ef907669e844b52c4fa2268d6e3162a70c (dbus-1.13.18)".

These invalid entries display as errors in the GitLab pipeline security tab, and are ignored when ingesting the data for vulnerability reports.

Finally, I was going to add a scan section, since this will be required soon. Unfortunately my Golang is lacking, and I can't seem to find an existing variable that I can use in the template to output the Trivy version. E.g.:

  "scan": {
    "scanner": {
      "id": "trivy",
      "name": "Trivy",
      "url": "https://github.com/aquasecurity/trivy/",
      "vendor": {
        "name": "Aqua Security"
      },
      "version": "0.32.2"
    }
  },

Related issues

Close Integration with GitLab will stop working in GitLab 15.0 #1598

Related PRs

docs(vuln): Include GitLab 15.0 integration #2153

Checklist

I've read the guidelines for contributing to this repository.
I've followed the conventions in the PR title.
I've added tests that prove my fix is effective or that my feature works.
I've updated the documentation with the relevant information (if needed).
I've added usage information (if the PR introduces new options)
I've included a "before" and "after" example to the description (if the PR is a user interface change).

thiago-gitlab · 2022-07-25T01:39:02Z

contrib/gitlab.tpl

  "vulnerabilities": [
  {{- $t_first := true }}
  {{- range . }}
  {{- $target := .Target }}
+    {{ $image := $target | regexFind "^[^:\\s]+" }}


Remove the OS from the image.

While version 14.0.6 of the schema doesn't enforce the format, version 14.1.x and later versions do. So I opted for using the string up to a space; e.g. webgoat/webgoat-8.0:latest (debian 9.6) becomes webgoat/webgoat-8.0:latest.

See also #332.

thiago-gitlab · 2022-07-25T01:47:53Z

contrib/gitlab.tpl

  "vulnerabilities": [
  {{- $t_first := true }}
  {{- range . }}
  {{- $target := .Target }}
+    {{ $image := $target | regexFind "[^\\s]+" }}


Not exactly a valid docker image string either, but 14.0.6 doesn't validate the pattern, so we can be less strict here.

thiago-gitlab · 2022-07-25T04:04:51Z

@knqyf263, there's an integration test failing. Unfortunately it doesn't show me a diff of what it's expecting, and I'm not sure this can be run locally.

Do you have a suggestion?

    --- FAIL: TestClientServerWithFormat/alpine_3.10_with_gitlab_template (0.13s)

knqyf263 · 2022-07-25T08:30:42Z

The failing test shows the following diff.

        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -3,2 +3,3 @@
        	            	   "vulnerabilities": [
        	            	+    
        	            	     {

Looks like there is a new line, but I didn't see such a change. @DmitriyLewen Could you help us?

contrib/gitlab.tpl

- Upgrade to schema 14.0.6 (https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v14.0.6/dist/container-scanning-report-format.json). - Drop unsupported `confidence` property. Currently optional and will be removed by GitLab in schema 15-0-0.

thiago-gitlab · 2022-07-25T21:41:32Z

Thanks for the help, @knqyf263 and @DmitriyLewen. Checks are passing. Ready for another round of review 🏓

knqyf263 · 2022-07-26T12:51:26Z

Thanks a lot!

thiago-gitlab requested a review from knqyf263 as a code owner July 25, 2022 01:30

thiago-gitlab commented Jul 25, 2022

View reviewed changes

thiago-gitlab force-pushed the doc-gitlab-integration branch from 5739bcd to f822298 Compare July 25, 2022 01:40

thiago-gitlab commented Jul 25, 2022

View reviewed changes

thiago-gitlab force-pushed the doc-gitlab-integration branch from f822298 to b5abd31 Compare July 25, 2022 02:15

DmitriyLewen reviewed Jul 25, 2022

View reviewed changes

contrib/gitlab.tpl Outdated Show resolved Hide resolved

thiago-gitlab added 2 commits July 26, 2022 06:42

docs(vuln): remove note about broken GitLab integration

cd754ca

thiago-gitlab force-pushed the doc-gitlab-integration branch from b5abd31 to cd754ca Compare July 25, 2022 20:43

knqyf263 approved these changes Jul 26, 2022

View reviewed changes

knqyf263 merged commit 5a65548 into aquasecurity:main Jul 26, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(vuln): GitLab report template #2578

fix(vuln): GitLab report template #2578

thiago-gitlab commented Jul 25, 2022 •

edited

Loading

thiago-gitlab Jul 25, 2022

thiago-gitlab Jul 25, 2022

thiago-gitlab commented Jul 25, 2022

knqyf263 commented Jul 25, 2022

thiago-gitlab commented Jul 25, 2022

knqyf263 commented Jul 26, 2022

fix(vuln): GitLab report template #2578

fix(vuln): GitLab report template #2578

Conversation

thiago-gitlab commented Jul 25, 2022 • edited Loading

Description

Related issues

Related PRs

Checklist

thiago-gitlab Jul 25, 2022

Choose a reason for hiding this comment

thiago-gitlab Jul 25, 2022

Choose a reason for hiding this comment

thiago-gitlab commented Jul 25, 2022

knqyf263 commented Jul 25, 2022

thiago-gitlab commented Jul 25, 2022

knqyf263 commented Jul 26, 2022

thiago-gitlab commented Jul 25, 2022 •

edited

Loading