Merge branch '9251-skip_whitelisted_vulnerabilities' into 'master'

Skip whitelisted vulnerabilities in Container Scanning reports Closes #9251 See merge request gitlab-org/gitlab-ee!9528

Merge branch '9251-skip_whitelisted_vulnerabilities' into 'master'
Skip whitelisted vulnerabilities in Container Scanning reports Closes #9251 See merge request gitlab-org/gitlab-ee!9528
18f905d1 · Kamil Trzciński · 9d95687e · 144ab22b · 18f905d1 · 18f905d1
Commit 18f905d1 authored Feb 14, 2019 by Kamil Trzciński
4 changed files
--- a/ee/changelogs/unreleased/9251-skip_whitelisted_vulnerabilities.yml
+++ b/ee/changelogs/unreleased/9251-skip_whitelisted_vulnerabilities.yml
+---
+title: Skip whitelisted vulnerabilities in Container Scanning reports
+merge_request: 9528
+author:
+type: fixed
--- a/ee/lib/gitlab/ci/parsers/security/container_scanning.rb
+++ b/ee/lib/gitlab/ci/parsers/security/container_scanning.rb
@@ -26,9 +26,13 @@ module Gitlab
          # Transforms the Clair JSON report into the expected format
          def format_report(data)
            vulnerabilities = data['vulnerabilities']
+            unapproved = data['unapproved']
            results = []
            vulnerabilities.each do |vulnerability|
+              # We only report unapproved vulnerabilities
+              next unless unapproved.include?(vulnerability['vulnerability'])
              results.append(format_vulnerability(vulnerability))
            end

--- a/ee/spec/lib/gitlab/ci/parsers/security/container_scanning_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/container_scanning_spec.rb
@@ -25,7 +25,7 @@ describe Gitlab::Ci::Parsers::Security::ContainerScanning do
      end
    end
-    it "parses all identifiers and occurrences" do
+    it "parses all identifiers and occurrences for unapproved vulnerabilities" do
      expect(report.occurrences.length).to eq(8)
      expect(report.identifiers.length).to eq(8)
      expect(report.scanners.length).to eq(1)

--- a/spec/fixtures/security-reports/master/gl-container-scanning-report.json
+++ b/spec/fixtures/security-reports/master/gl-container-scanning-report.json
 {
  "image": "registry.gitlab.com/groulot/container-scanning-test/master:5f21de6956aee99ddb68ae49498662d9872f50ff",
  "unapproved": [
-    "CVE-2017-18018",
+    "CVE-2017-18269",
-    "CVE-2016-2781",
+    "CVE-2017-16997",
-    "CVE-2017-12424",
+    "CVE-2018-1000001",
-    "CVE-2007-5686",
+    "CVE-2016-10228",
-    "CVE-2013-4235"
+    "CVE-2018-18520",
+    "CVE-2010-4052",
+    "CVE-2018-16869",
+    "CVE-2018-18311"
  ],
  "vulnerabilities": [
    {
@@ -87,6 +90,16 @@
      "link": "https://security-tracker.debian.org/tracker/CVE-2018-18311",
      "severity": "Unknown",
      "fixedby": "5.24.1-3+deb9u5"
+    },
+    {
+      "featurename": "foo",
+      "featureversion": "1.3",
+      "vulnerability": "CVE-2018-666",
+      "namespace": "debian:9",
+      "description": "Foo has a vulnerability nobody cares about and whitelist.",
+      "link": "https://security-tracker.debian.org/tracker/CVE-2018-666",
+      "severity": "Unknown",
+      "fixedby": "1.4"
    }
  ]
 }