Merge branch '348489-add-container-scanning-dependencies-to-dependency-list' into 'master'

Match container-scanning vulnerabilities in dependencies

See merge request gitlab-org/gitlab!76939

ee/app/models/vulnerabilities/finding.rb

@@ -218,6 +218,10 @@ module Vulnerabilities
       location.dig('file')
     end
 
+    def image
+      location.dig('image')
+    end
+
     def links
       return metadata.fetch('links', []) if Feature.disabled?(:vulnerability_finding_replace_metadata) || finding_links.load.empty?
 

ee/lib/gitlab/ci/parsers/security/dependency_list.rb

@@ -5,6 +5,8 @@ module Gitlab
     module Parsers
       module Security
         class DependencyList
+          CONTAINER_IMAGE_PATH_PREFIX = 'container-image:'
+
           def initialize(project, sha, pipeline)
             @project = project
             @formatter = Formatters::DependencyList.new(project, sha)
@@ -30,17 +32,22 @@ module Gitlab
           end
 
           def parse_vulnerabilities(report_data, report)
-            vuln_findings = pipeline.vulnerability_findings.dependency_scanning
+            vuln_findings = pipeline.vulnerability_findings.by_report_types(%i[container_scanning dependency_scanning])
             vuln_findings.each do |finding|
               dependency = finding.location.dig("dependency")
 
               next unless dependency
 
-              file = finding.file
               vulnerability = finding.metadata.merge(vulnerability_id: finding.vulnerability_id)
 
-              report.add_dependency(formatter.format(dependency, '', file, vulnerability))
+              report.add_dependency(formatter.format(dependency, '', dependency_path(finding), vulnerability))
+            end
           end
+
+          def dependency_path(finding)
+            return finding.file if finding.dependency_scanning?
+
+            "#{CONTAINER_IMAGE_PATH_PREFIX}#{finding.image}"
           end
 
           def parse_licenses!(json_data, report)

ee/spec/factories/vulnerabilities/findings.rb

@@ -519,6 +519,57 @@ FactoryBot.define do
       end
     end
 
+    trait :with_container_scanning_metadata do
+      transient do
+        raw_severity { "Critical" }
+        id { "CVE-2021-44228" }
+        image { "package-registry/package:tag" }
+        package { "org.apache.logging.log4j:log4j-api" }
+        version { "2.14.1" }
+      end
+
+      after(:build) do |finding, evaluator|
+        finding.report_type = "container_scanning"
+        finding.name = "CVE-2021-44228 in org.apache.logging.log4j:log4j-api-2.14.1"
+        finding.message = "Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints."
+        finding.metadata_version = "2.1"
+        finding.raw_metadata = {
+          "category": "container_scanning",
+          "name": "CVE-2021-44228 in org.apache.logging.log4j:log4j-api-2.14.1",
+          "message": "Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.",
+          "description": "Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.",
+          "severity": evaluator.raw_severity,
+          "scanner": {
+            "id": "trivy",
+            "name": "Trivy"
+          },
+          "location": {
+            "image": evaluator.image,
+            "dependency": {
+              "package": {
+                "name": evaluator.package
+              },
+              "operating_system": "Unknown",
+              "version": evaluator.version
+            }
+          },
+          "identifiers": [
+            {
+              "type": "cve",
+              "name": evaluator.id,
+              "value": "CVE-2021-44228",
+              "url": "http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"
+            }
+          ],
+          "links": [
+            {
+              "url": "http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html"
+            }
+          ]
+        }.to_json
+      end
+    end
+
     trait :with_cluster_image_scanning_scanning_metadata do
       after(:build) do |finding, _|
         finding.report_type = "cluster_image_scanning"

ee/spec/lib/gitlab/ci/parsers/security/dependency_list_spec.rb

@@ -11,7 +11,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyList do
   let_it_be(:pipeline) { create :ee_ci_pipeline, :with_dependency_list_report }
 
   describe '#parse!' do
-    context 'with dependency_list artifact' do
     let(:artifact) { pipeline.job_artifacts.last }
 
     before do
@@ -20,6 +19,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyList do
       end
     end
 
+    context 'with dependency_list artifact' do
       it 'parses all files' do
         blob_path = "/#{project.full_path}/-/blob/#{sha}/yarn/yarn.lock"
 
@@ -43,19 +43,11 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyList do
       end
     end
 
-    context 'with vulnerabilities in the database' do
+    context 'with dependency_scanning dependencies' do
       let_it_be(:vulnerability) { create(:vulnerability, report_type: :dependency_scanning) }
       let_it_be(:finding) { create(:vulnerabilities_finding, :with_dependency_scanning_metadata, vulnerability: vulnerability) }
       let_it_be(:finding_pipeline) { create(:vulnerabilities_finding_pipeline, finding: finding, pipeline: pipeline) }
 
-      let(:artifact) { pipeline.job_artifacts.last }
-
-      before do
-        artifact.each_blob do |blob|
-          parser.parse!(blob, report)
-        end
-      end
-
       it 'does not causes N+1 query' do
         control_count = ActiveRecord::QueryRecorder.new do
           artifact.each_blob do |blob|
@@ -97,7 +89,23 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyList do
       end
     end
 
+    context 'with container_scanning dependencies' do
+      let_it_be(:vulnerability) { create(:vulnerability, report_type: :container_scanning) }
+      let_it_be(:finding) { create(:vulnerabilities_finding, :with_container_scanning_metadata, vulnerability: vulnerability) }
+      let_it_be(:finding_pipeline) { create(:vulnerabilities_finding_pipeline, finding: finding, pipeline: pipeline) }
+
+      it 'adds new dependency and vulnerability to the report with modified path' do
+        cs_dependency = report.dependencies.detect { |dep| dep[:name] == 'org.apache.logging.log4j:log4j-api' }
+
+        expect(report.dependencies.size).to eq(22)
+        expect(cs_dependency[:vulnerabilities].size).to eq(1)
+        expect(cs_dependency.dig(:location, :path)).to eq('container-image:package-registry/package:tag')
+      end
+    end
+
     context 'with null dependencies' do
+      let(:empty_report) { Gitlab::Ci::Reports::DependencyList::Report.new }
+
       let(:json_data) do
         <<~JSON
         {
@@ -130,9 +138,9 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyList do
       end
 
       it 'ignores null dependencies' do
-        parser.parse!(json_data, report)
+        parser.parse!(json_data, empty_report)
 
-        expect(report.dependencies.size).to eq(0)
+        expect(empty_report.dependencies.size).to eq(0)
       end
     end
   end

ee/spec/models/vulnerabilities/finding_spec.rb

@@ -772,6 +772,15 @@ RSpec.describe Vulnerabilities::Finding do
       end
     end
 
+    describe '#image' do
+      let(:finding) { build(:vulnerabilities_finding, :with_container_scanning_metadata) }
+      let(:expected_location) { finding.metadata['location']['image'] }
+
+      subject { finding.image }
+
+      it { is_expected.to eq(expected_location) }
+    end
+
     describe '#evidence' do
       subject { finding.evidence }