Skip to content

G
gitlab-ce
Commit 21eb572f authored by Kamil Trzciński's avatar Kamil Trzciński
Browse files
Options

Merge branch 'support-new-syntax-for-common-vulnerabilities' into 'master' 

Support new syntax for common vulnerabilities

See merge request gitlab-org/gitlab-ee!8701
parents 475a6782 f090135f
Show whitespace changes
Inline Side-by-side
Showing with 4133 additions and 4013 deletions
ee/lib/gitlab/ci/parsers/security/common.rb
View file @ 21eb572f
...@@ -8,10 +8,11 @@ module Gitlab ...@@ -8,10 +8,11 @@ module Gitlab
SecurityReportParserError = Class.new(Gitlab::Ci::Parsers::ParserError) SecurityReportParserError = Class.new(Gitlab::Ci::Parsers::ParserError)
def parse!(json_data, report) def parse!(json_data, report)
vulnerabilities = JSON.parse!(json_data) report_data = parse_report(json_data)
raise SecurityReportParserError, "Invalid report format" unless report_data.is_a?(Hash)
vulnerabilities.each do |vulnerability| report_data["vulnerabilities"].each do |vulnerability|
create_vulnerability(report, vulnerability) create_vulnerability(report, vulnerability, report_data["version"])
end end
rescue JSON::ParserError rescue JSON::ParserError
raise SecurityReportParserError, 'JSON parsing failed' raise SecurityReportParserError, 'JSON parsing failed'
...@@ -22,7 +23,11 @@ module Gitlab ...@@ -22,7 +23,11 @@ module Gitlab
protected protected
def create_vulnerability(report, data) def parse_report(json_data)
JSON.parse!(json_data)
end
def create_vulnerability(report, data, version)
scanner = create_scanner(report, data['scanner'] || mutate_scanner_tool(data['tool'])) scanner = create_scanner(report, data['scanner'] || mutate_scanner_tool(data['tool']))
identifiers = create_identifiers(report, data['identifiers']) identifiers = create_identifiers(report, data['identifiers'])
...@@ -38,9 +43,7 @@ module Gitlab ...@@ -38,9 +43,7 @@ module Gitlab
scanner: scanner, scanner: scanner,
identifiers: identifiers, identifiers: identifiers,
raw_metadata: data.to_json, raw_metadata: data.to_json,
# Version is hardcoded here untill provided in the report. metadata_version: version
# See https://gitlab.com/gitlab-org/gitlab-ee/issues/8025
metadata_version: metadata_version(data)
) )
end end
......
ee/lib/gitlab/ci/parsers/security/dependency_scanning.rb
View file @ 21eb572f
...@@ -5,14 +5,28 @@ module Gitlab ...@@ -5,14 +5,28 @@ module Gitlab
module Parsers module Parsers
module Security module Security
class DependencyScanning < Common class DependencyScanning < Common
extend ::Gitlab::Utils::Override
DEPRECATED_REPORT_VERSION = "1.3".freeze
private private
def metadata_version(vulnerability) override :parse_report
'1.3' def parse_report(json_data)
report = super
if report.is_a?(Array)
report = {
"version" => DEPRECATED_REPORT_VERSION,
"vulnerabilities" => report
}
end
report
end end
def generate_location_fingerprint(location) def generate_location_fingerprint(location)
Digest::SHA1.hexdigest("#{location['file']}:#{location['dependency']['package']['name']}") Digest::SHA1.hexdigest("#{location['file']}:#{location.dig('dependency', 'package', 'name')}")
end end
end end
end end
......
ee/lib/gitlab/ci/parsers/security/sast.rb
View file @ 21eb572f
...@@ -5,10 +5,24 @@ module Gitlab ...@@ -5,10 +5,24 @@ module Gitlab
module Parsers module Parsers
module Security module Security
class Sast < Common class Sast < Common
extend ::Gitlab::Utils::Override
DEPRECATED_REPORT_VERSION = "1.2".freeze
private private
def metadata_version(vulnerability) override :parse_report
'1.2' def parse_report(json_data)
report = super
if report.is_a?(Array)
report = {
"version" => DEPRECATED_REPORT_VERSION,
"vulnerabilities" => report
}
end
report
end end
def generate_location_fingerprint(location) def generate_location_fingerprint(location)
......
ee/spec/factories/ci/builds.rb
View file @ 21eb572f
...@@ -29,15 +29,9 @@ FactoryBot.define do ...@@ -29,15 +29,9 @@ FactoryBot.define do
end end
end end
trait :license_management_report do trait :license_management_feature_branch do
after(:build) do |build| after(:build) do |build|
build.job_artifacts << create(:ee_ci_job_artifact, :license_management_report, job: build) build.job_artifacts << create(:ee_ci_job_artifact, :license_management_feature_branch, job: build)
end
end
trait :license_management_report_2 do
after(:build) do |build|
build.job_artifacts << create(:ee_ci_job_artifact, :license_management_report_2, job: build)
end end
end end
......
ee/spec/factories/ci/job_artifacts.rb
View file @ 21eb572f
...@@ -8,7 +8,17 @@ FactoryBot.define do ...@@ -8,7 +8,17 @@ FactoryBot.define do
after(:build) do |artifact, evaluator| after(:build) do |artifact, evaluator|
artifact.file = fixture_file_upload( artifact.file = fixture_file_upload(
Rails.root.join('ee/spec/fixtures/reports/security/sast.json'), 'application/json') Rails.root.join('spec/fixtures/security-reports/master/gl-sast-report.json'), 'text/plain')
end
end
trait :sast_deprecated do
file_type :sast
file_format :raw
after(:build) do |artifact, evaluator|
artifact.file = fixture_file_upload(
Rails.root.join('spec/fixtures/security-reports/deprecated/gl-sast-report.json'), 'text/plain')
end end
end end
...@@ -18,27 +28,27 @@ FactoryBot.define do ...@@ -18,27 +28,27 @@ FactoryBot.define do
after(:build) do |artifact, evaluator| after(:build) do |artifact, evaluator|
artifact.file = fixture_file_upload( artifact.file = fixture_file_upload(
Rails.root.join('ee/spec/fixtures/reports/security/sast_with_corrupted_data.json'), 'application/json') Rails.root.join('spec/fixtures/trace/sample_trace'), 'application/json')
end end
end end
trait :license_management_report do trait :license_management do
file_type :license_management file_type :license_management
file_format :raw file_format :raw
after(:build) do |artifact, evaluator| after(:build) do |artifact, evaluator|
artifact.file = fixture_file_upload( artifact.file = fixture_file_upload(
Rails.root.join('ee/spec/fixtures/license_management/report.json'), 'application/json') Rails.root.join('spec/fixtures/security-reports/master/gl-license-management-report.json'), 'application/json')
end end
end end
trait :license_management_report_2 do trait :license_management_feature_branch do
file_type :license_management file_type :license_management
file_format :raw file_format :raw
after(:build) do |artifact, evaluator| after(:build) do |artifact, evaluator|
artifact.file = fixture_file_upload( artifact.file = fixture_file_upload(
Rails.root.join('ee/spec/fixtures/license_management/report2.json'), 'application/json') Rails.root.join('spec/fixtures/security-reports/feature-branch/gl-license-management-report.json'), 'application/json')
end end
end end
...@@ -48,7 +58,7 @@ FactoryBot.define do ...@@ -48,7 +58,7 @@ FactoryBot.define do
after(:build) do |artifact, evaluator| after(:build) do |artifact, evaluator|
artifact.file = fixture_file_upload( artifact.file = fixture_file_upload(
Rails.root.join('ee/spec/fixtures/license_management/report_with_corrupted_data.json'), 'application/json') Rails.root.join('spec/fixtures/trace/sample_trace'), 'application/json')
end end
end end
...@@ -82,6 +92,16 @@ FactoryBot.define do ...@@ -82,6 +92,16 @@ FactoryBot.define do
end end
end end
trait :dependency_scanning_deprecated do
file_format :raw
file_type :dependency_scanning
after(:build) do |artifact, _|
artifact.file = fixture_file_upload(
Rails.root.join('spec/fixtures/security-reports/deprecated/gl-dependency-scanning-report.json'), 'text/plain')
end
end
trait :container_scanning do trait :container_scanning do
file_format :raw file_format :raw
file_type :container_scanning file_type :container_scanning
......
ee/spec/factories/ci/pipelines.rb
View file @ 21eb572f
...@@ -11,15 +11,15 @@ FactoryBot.define do ...@@ -11,15 +11,15 @@ FactoryBot.define do
status :success status :success
after(:build) do |pipeline, evaluator| after(:build) do |pipeline, evaluator|
pipeline.builds << build(:ee_ci_build, :license_management_report, pipeline: pipeline, project: pipeline.project) pipeline.builds << build(:ee_ci_build, :license_management, pipeline: pipeline, project: pipeline.project)
end end
end end
trait :with_license_management_report_2 do trait :with_license_management_feature_branch do
status :success status :success
after(:build) do |pipeline, evaluator| after(:build) do |pipeline, evaluator|
pipeline.builds << build(:ee_ci_build, :license_management_report_2, pipeline: pipeline, project: pipeline.project) pipeline.builds << build(:ee_ci_build, :license_management_feature_branch, pipeline: pipeline, project: pipeline.project)
end end
end end
......
ee/spec/fixtures/license_management/report.json deleted 100644 → 0
View file @ 475a6782
{
"licenses": [
{
"count": 52,
"name": "MIT"
},
{
"count": 3,
"name": "New BSD"
},
{
"count": 1,
"name": "Apache 2.0"
},
{
"count": 1,
"name": "unknown"
}
],
"dependencies": [
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "actioncable",
"url": "http://rubyonrails.org",
"description": "WebSocket framework for Rails.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "actionmailer",
"url": "http://rubyonrails.org",
"description": "Email composition, delivery, and receiving framework (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "actionpack",
"url": "http://rubyonrails.org",
"description": "Web-flow and rendering framework putting the VC in MVC (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "actionview",
"url": "http://rubyonrails.org",
"description": "Rendering framework putting the V in MVC (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "activejob",
"url": "http://rubyonrails.org",
"description": "Job framework with pluggable queues.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "activemodel",
"url": "http://rubyonrails.org",
"description": "A toolkit for building modeling frameworks (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "activerecord",
"url": "http://rubyonrails.org",
"description": "Object-relational mapper framework (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "activesupport",
"url": "http://rubyonrails.org",
"description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "arel",
"url": "https://github.com/rails/arel",
"description": "Arel Really Exasperates Logicians Arel is a SQL AST manager for Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "builder",
"url": "http://onestepback.org",
"description": "Builders for MarkUp.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "bundler",
"url": "http://bundler.io",
"description": "The best way to manage your application's dependencies",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "coffee-rails",
"url": "https://github.com/rails/coffee-rails",
"description": "CoffeeScript adapter for the Rails asset pipeline.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "coffee-script",
"url": "http://github.com/josh/ruby-coffee-script",
"description": "Ruby CoffeeScript Compiler",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "coffee-script-source",
"url": "http://coffeescript.org",
"description": "The CoffeeScript Compiler",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "concurrent-ruby",
"url": "http://www.concurrent-ruby.com",
"description": "Modern concurrency tools for Ruby. Inspired by Erlang, Clojure, Scala, Haskell, F#, C#, Java, and classic concurrency patterns.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "crass",
"url": "https://github.com/rgrove/crass/",
"description": "CSS parser based on the CSS Syntax Level 3 spec.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "erubis",
"url": "http://www.kuwata-lab.com/erubis/",
"description": "a fast and extensible eRuby implementation which supports multi-language",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "execjs",
"url": "https://github.com/rails/execjs",
"description": "Run JavaScript code from Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "New BSD",
"url": "http://opensource.org/licenses/BSD-3-Clause"
},
"dependency": {
"name": "ffi",
"url": "http://wiki.github.com/ffi/ffi",
"description": "Ruby FFI",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "globalid",
"url": "http://www.rubyonrails.org",
"description": "Refer to any model with a URI: gid://app/class/id",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "i18n",
"url": "http://github.com/svenfuchs/i18n",
"description": "New wave Internationalization support for Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "jbuilder",
"url": "https://github.com/rails/jbuilder",
"description": "Create JSON structures via a Builder-style DSL",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "loofah",
"description": "",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "mail",
"url": "https://github.com/mikel/mail",
"description": "Mail provides a nice Ruby DSL for making, sending and reading emails.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "method_source",
"url": "http://banisterfiend.wordpress.com",
"description": "retrieve the sourcecode for a method",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "mini_mime",
"url": "https://github.com/discourse/mini_mime",
"description": "A lightweight mime type lookup toy",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "mini_portile2",
"url": "http://github.com/flavorjones/mini_portile",
"description": "Simplistic port-like solution for developers",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "minitest",
"url": "https://github.com/seattlerb/minitest",
"description": "minitest provides a complete suite of testing facilities supporting TDD, BDD, mocking, and benchmarking",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "multi_json",
"url": "http://github.com/intridea/multi_json",
"description": "A common interface to multiple JSON libraries.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "nio4r",
"url": "https://github.com/celluloid/nio4r",
"description": "NIO provides a high performance selector API for monitoring IO objects",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "nokogiri",
"url": "http://nokogiri.org",
"description": "Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser",
"pathes": [
"."
]
}
},
{
"license": {
"name": "New BSD",
"url": "http://opensource.org/licenses/BSD-3-Clause"
},
"dependency": {
"name": "puma",
"url": "http://puma.io",
"description": "Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rack",
"url": "https://rack.github.io/",
"description": "a modular Ruby webserver interface",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rack-test",
"url": "http://github.com/brynary/rack-test",
"description": "Simple testing API built on Rack",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rails",
"url": "http://rubyonrails.org",
"description": "Full-stack web application framework.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rails-dom-testing",
"url": "https://github.com/rails/rails-dom-testing",
"description": "Dom and Selector assertions for Rails applications",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rails-html-sanitizer",
"url": "https://github.com/rails/rails-html-sanitizer",
"description": "This gem is responsible to sanitize HTML fragments in Rails applications.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "railties",
"url": "http://rubyonrails.org",
"description": "Tools for creating, working with, and running Rails applications.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rake",
"url": "https://github.com/ruby/rake",
"description": "Rake is a Make-like program implemented in Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rb-fsevent",
"url": "http://rubygems.org/gems/rb-fsevent",
"description": "Very simple & usable FSEvents API",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rb-inotify",
"url": "https://github.com/guard/rb-inotify",
"description": "A Ruby wrapper for Linux inotify, using FFI",
"pathes": [
"."
]
}
},
{
"license": {
"name": "unknown"
},
"dependency": {
"name": "ruby-bundler-rails",
"description": "",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "sass",
"url": "http://sass-lang.com/",
"description": "A powerful but elegant CSS compiler that makes CSS fun again.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "sass-listen",
"url": "https://github.com/sass/listen",
"description": "Fork of guard/listen",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "sass-rails",
"url": "https://github.com/rails/sass-rails",
"description": "Sass adapter for the Rails asset pipeline.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "sprockets",
"url": "https://github.com/rails/sprockets",
"description": "Rack-based asset packaging system",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "sprockets-rails",
"url": "https://github.com/rails/sprockets-rails",
"description": "Sprockets Rails integration",
"pathes": [
"."
]
}
},
{
"license": {
"name": "New BSD",
"url": "http://opensource.org/licenses/BSD-3-Clause"
},
"dependency": {
"name": "sqlite3",
"url": "https://github.com/sparklemotion/sqlite3-ruby",
"description": "This module allows Ruby programs to interface with the SQLite3 database engine (http://www.sqlite.org)",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "thor",
"url": "http://whatisthor.com/",
"description": "Thor is a toolkit for building powerful command-line interfaces.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "Apache 2.0",
"url": "http://www.apache.org/licenses/LICENSE-2.0.txt"
},
"dependency": {
"name": "thread_safe",
"url": "https://github.com/ruby-concurrency/thread_safe",
"description": "Thread-safe collections and utilities for Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "tilt",
"url": "http://github.com/rtomayko/tilt/",
"description": "Generic interface to multiple Ruby template engines",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "turbolinks",
"url": "https://github.com/turbolinks/turbolinks",
"description": "Turbolinks makes navigating your web application faster",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "turbolinks-source",
"url": "https://github.com/turbolinks/turbolinks-source-gem",
"description": "Turbolinks JavaScript assets",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "tzinfo",
"url": "http://tzinfo.github.io",
"description": "Daylight savings aware timezone library",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "uglifier",
"url": "http://github.com/lautis/uglifier",
"description": "Ruby wrapper for UglifyJS JavaScript compressor",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "websocket-driver",
"url": "http://github.com/faye/websocket-driver-ruby",
"description": "WebSocket protocol handler with pluggable I/O",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "websocket-extensions",
"url": "https://github.com/faye/websocket-extensions-ruby",
"description": "Generic extension manager for WebSocket connections",
"pathes": [
"."
]
}
}
]
}
ee/spec/fixtures/license_management/report2.json deleted 100644 → 0
View file @ 475a6782
{
"licenses": [
{
"count": 1,
"name": "WTFPL"
},
{
"count": 1,
"name": "MIT"
}
],
"dependencies": [
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "actioncable",
"url": "http://rubyonrails.org",
"description": "WebSocket framework for Rails.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "WTFPL",
"url": "http://www.wtfpl.net/"
},
"dependency": {
"name": "wtfpl_init",
"url": "https://rubygems.org/gems/wtfpl_init",
"description": "Download WTFPL license file and rename to LICENSE.md or something",
"pathes": [
"."
]
}
}
]
}
ee/spec/fixtures/license_management/report_with_corrupted_data.json deleted 100644 → 0
View file @ 475a6782
{
"licenses": [
{
"count": 52,
"name": "MIT"
},
{
"count": 3,
"name": "New BSD"
},
{
"count": 1,
"name": "Apache 2.0"
},
{
"count": 1,
"name": "unknown"
}
],
"dependencies": [
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "actioncable",
"url": "http://rubyonrails.org",
"description": "WebSocket framework for Rails.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "actionmailer",
"url": "http://rubyonrails.org",
"description": "Email composition, delivery, and receiving framework (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "actionpack",
"url": "http://rubyonrails.org",
"description": "Web-flow and rendering framework putting the VC in MVC (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "actionview",
"url": "http://rubyonrails.org",
"description": "Rendering framework putting the V in MVC (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "activejob",
"url": "http://rubyonrails.org",
"description": "Job framework with pluggable queues.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "activemodel",
"url": "http://rubyonrails.org",
"description": "A toolkit for building modeling frameworks (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "activerecord",
"url": "http://rubyonrails.org",
"description": "Object-relational mapper framework (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "activesupport",
"url": "http://rubyonrails.org",
"description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "arel",
"url": "https://github.com/rails/arel",
"description": "Arel Really Exasperates Logicians Arel is a SQL AST manager for Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "builder",
"url": "http://onestepback.org",
"description": "Builders for MarkUp.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "bundler",
"url": "http://bundler.io",
"description": "The best way to manage your application's dependencies",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "coffee-rails",
"url": "https://github.com/rails/coffee-rails",
"description": "CoffeeScript adapter for the Rails asset pipeline.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "coffee-script",
"url": "http://github.com/josh/ruby-coffee-script",
"description": "Ruby CoffeeScript Compiler",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "coffee-script-source",
"url": "http://coffeescript.org",
"description": "The CoffeeScript Compiler",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "concurrent-ruby",
"url": "http://www.concurrent-ruby.com",
"description": "Modern concurrency tools for Ruby. Inspired by Erlang, Clojure, Scala, Haskell, F#, C#, Java, and classic concurrency patterns.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "crass",
"url": "https://github.com/rgrove/crass/",
"description": "CSS parser based on the CSS Syntax Level 3 spec.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "erubis",
"url": "http://www.kuwata-lab.com/erubis/",
"description": "a fast and extensible eRuby implementation which supports multi-language",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "execjs",
"url": "https://github.com/rails/execjs",
"description": "Run JavaScript code from Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "New BSD",
"url": "http://opensource.org/licenses/BSD-3-Clause"
},
"dependency": {
"name": "ffi",
"url": "http://wiki.github.com/ffi/ffi",
"description": "Ruby FFI",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "globalid",
"url": "http://www.rubyonrails.org",
"description": "Refer to any model with a URI: gid://app/class/id",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "i18n",
"url": "http://github.com/svenfuchs/i18n",
"description": "New wave Internationalization support for Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "jbuilder",
"url": "https://github.com/rails/jbuilder",
"description": "Create JSON structures via a Builder-style DSL",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "loofah",
"description": "",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "mail",
"url": "https://github.com/mikel/mail",
"description": "Mail provides a nice Ruby DSL for making, sending and reading emails.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "method_source",
"url": "http://banisterfiend.wordpress.com",
"description": "retrieve the sourcecode for a method",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "mini_mime",
"url": "https://github.com/discourse/mini_mime",
"description": "A lightweight mime type lookup toy",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "mini_portile2",
"url": "http://github.com/flavorjones/mini_portile",
"description": "Simplistic port-like solution for developers",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "minitest",
"url": "https://github.com/seattlerb/minitest",
"description": "minitest provides a complete suite of testing facilities supporting TDD, BDD, mocking, and benchmarking",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "multi_json",
"url": "http://github.com/intridea/multi_json",
"description": "A common interface to multiple JSON libraries.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "nio4r",
"url": "https://github.com/celluloid/nio4r",
"description": "NIO provides a high performance selector API for monitoring IO objects",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "nokogiri",
"url": "http://nokogiri.org",
"description": "Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser",
"pathes": [
"."
]
}
},
{
"license": {
"name": "New BSD",
"url": "http://opensource.org/licenses/BSD-3-Clause"
},
"dependency": {
"name": "puma",
"url": "http://puma.io",
"description": "Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rack",
"url": "https://rack.github.io/",
"description": "a modular Ruby webserver interface",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rack-test",
"url": "http://github.com/brynary/rack-test",
"description": "Simple testing API built on Rack",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rails",
"url": "http://rubyonrails.org",
"description": "Full-stack web application framework.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rails-dom-testing",
"url": "https://github.com/rails/rails-dom-testing",
"description": "Dom and Selector assertions for Rails applications",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rails-html-sanitizer",
"url": "https://github.com/rails/rails-html-sanitizer",
"description": "This gem is responsible to sanitize HTML fragments in Rails applications.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "railties",
"url": "http://rubyonrails.org",
"description": "Tools for creating, working with, and running Rails applications.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rake",
"url": "https://github.com/ruby/rake",
"description": "Rake is a Make-like program implemented in Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rb-fsevent",
"url": "http://rubygems.org/gems/rb-fsevent",
"description": "Very simple & usable FSE
ee/spec/fixtures/reports/security/sast.json deleted 100644 → 0
View file @ 475a6782
[
{
"category": "sast",
"name": "Cipher with no integrity",
"message": "Cipher with no integrity",
"description": "The cipher does not provide data integrity",
"cve": "e6449b89335daf53c0db4c0219bc1634:CIPHER_INTEGRITY",
"severity": "Medium",
"confidence": "High",
"location": {
"file": "maven/src/main/java/com/gitlab/security_products/tests/App.java",
"start_line": 29,
"end_line": 29,
"class": "com.gitlab.security_products.tests.App",
"method": "insecureCypher"
},
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-CIPHER_INTEGRITY",
"value": "CIPHER_INTEGRITY",
"url": "https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY"
},
{
"type": "cwe",
"name": "CWE-353",
"value": "353",
"url": "https://cwe.mitre.org/data/definitions/353.html"
}
],
"priority": "Medium",
"file": "maven/src/main/java/com/gitlab/security_products/tests/App.java",
"line": 29,
"url": "https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:cb203b465dffb0cb3a8e8bd8910b84b93b0a5995a938e4b903dbb0cd6ffa1254:B303",
"severity": "Medium",
"confidence": "High",
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 11,
"end_line": 11
},
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
},
{
"type": "cwe",
"name": "CWE-353",
"value": "353",
"url": "https://cwe.mitre.org/data/definitions/353.html"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 11,
"tool": "bandit"
},
{
"category": "sast",
"name": "Unescaped parameter value",
"message": "Unescaped parameter value",
"cve": "26b8b0ad586712d41ac6877e2292c6da7aa4760078add7fd23edf5b7a1bcb699",
"confidence": "High",
"location": {
"file": "rails5/app/views/widget/show.html.erb",
"start_line": 1
},
"scanner": {
"id": "brakeman",
"name": "Brakeman"
},
"identifiers": [
{
"type": "brakeman_warning_code",
"name": "Brakeman Warning Code 2",
"value": "2",
"url": "https://brakemanscanner.org/docs/warning_types/cross-site_scripting/"
}
],
"file": "rails5/app/views/widget/show.html.erb",
"line": 1,
"url": "https://brakemanscanner.org/docs/warning_types/cross-site_scripting/",
"tool": "brakeman"
}
]
ee/spec/lib/gitlab/ci/parsers/license_management/license_management_spec.rb
View file @ 21eb572f
...@@ -9,7 +9,7 @@ describe Gitlab::Ci::Parsers::LicenseManagement::LicenseManagement do ...@@ -9,7 +9,7 @@ describe Gitlab::Ci::Parsers::LicenseManagement::LicenseManagement do
let(:report) { Gitlab::Ci::Reports::LicenseManagement::Report.new } let(:report) { Gitlab::Ci::Reports::LicenseManagement::Report.new }
context 'when data is a JSON license management report' do context 'when data is a JSON license management report' do
let(:data) { File.read(Rails.root.join('ee/spec/fixtures/license_management/report.json')) } let(:data) { File.read(Rails.root.join('spec/fixtures/security-reports/master/gl-license-management-report.json')) }
it 'parses without error' do it 'parses without error' do
expect { subject }.not_to raise_error expect { subject }.not_to raise_error
......
ee/spec/lib/gitlab/ci/parsers/security/dependency_scanning_spec.rb
View file @ 21eb572f
...@@ -10,6 +10,11 @@ describe Gitlab::Ci::Parsers::Security::DependencyScanning do ...@@ -10,6 +10,11 @@ describe Gitlab::Ci::Parsers::Security::DependencyScanning do
let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type) } let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type) }
let(:parser) { described_class.new } let(:parser) { described_class.new }
where(report_format: %i(dependency_scanning dependency_scanning_deprecated))
with_them do
let(:artifact) { create(:ee_ci_job_artifact, report_format) }
before do before do
artifact.each_blob do |blob| artifact.each_blob do |blob|
parser.parse!(blob, report) parser.parse!(blob, report)
...@@ -30,4 +35,5 @@ describe Gitlab::Ci::Parsers::Security::DependencyScanning do ...@@ -30,4 +35,5 @@ describe Gitlab::Ci::Parsers::Security::DependencyScanning do
expect(report.occurrences.first[:metadata_version]).to eq('1.3') expect(report.occurrences.first[:metadata_version]).to eq('1.3')
end end
end end
end
end end
ee/spec/lib/gitlab/ci/parsers/security/sast_spec.rb
View file @ 21eb572f
...@@ -6,10 +6,14 @@ describe Gitlab::Ci::Parsers::Security::Sast do ...@@ -6,10 +6,14 @@ describe Gitlab::Ci::Parsers::Security::Sast do
describe '#parse!' do describe '#parse!' do
let(:project) { artifact.project } let(:project) { artifact.project }
let(:pipeline) { artifact.job.pipeline } let(:pipeline) { artifact.job.pipeline }
let(:artifact) { create(:ee_ci_job_artifact, :sast) }
let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type) } let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type) }
let(:parser) { described_class.new } let(:parser) { described_class.new }
where(report_format: %i(sast sast_deprecated))
with_them do
let(:artifact) { create(:ee_ci_job_artifact, report_format) }
before do before do
artifact.each_blob do |blob| artifact.each_blob do |blob|
parser.parse!(blob, report) parser.parse!(blob, report)
...@@ -17,17 +21,18 @@ describe Gitlab::Ci::Parsers::Security::Sast do ...@@ -17,17 +21,18 @@ describe Gitlab::Ci::Parsers::Security::Sast do
end end
it "parses all identifiers and occurrences" do it "parses all identifiers and occurrences" do
expect(report.occurrences.length).to eq(3) expect(report.occurrences.length).to eq(33)
expect(report.identifiers.length).to eq(4) expect(report.identifiers.length).to eq(14)
expect(report.scanners.length).to eq(3) expect(report.scanners.length).to eq(3)
end end
it "generates expected location fingerprint" do it "generates expected location fingerprint" do
expect(report.occurrences.first[:location_fingerprint]).to eq('6b6bb283d43cc510d7d1e73e2882b3652cb34bd5') expect(report.occurrences.first[:location_fingerprint]).to eq('d869ba3f0b3347eb2749135a437dc07c8ae0f420')
end end
it "generates expected metadata_version" do it "generates expected metadata_version" do
expect(report.occurrences.first[:metadata_version]).to eq('1.2') expect(report.occurrences.first[:metadata_version]).to eq('1.2')
end end
end end
end
end end
ee/spec/models/ci/build_spec.rb
View file @ 21eb572f
...@@ -167,7 +167,7 @@ describe Ci::Build do ...@@ -167,7 +167,7 @@ describe Ci::Build do
it 'parses blobs and add the results to the report' do it 'parses blobs and add the results to the report' do
subject subject
expect(security_reports.get_report('sast').occurrences.size).to eq(3) expect(security_reports.get_report('sast').occurrences.size).to eq(33)
end end
end end
...@@ -180,7 +180,7 @@ describe Ci::Build do ...@@ -180,7 +180,7 @@ describe Ci::Build do
it 'parses blobs and add the results to the reports' do it 'parses blobs and add the results to the reports' do
subject subject
expect(security_reports.get_report('sast').occurrences.size).to eq(3) expect(security_reports.get_report('sast').occurrences.size).to eq(33)
expect(security_reports.get_report('dependency_scanning').occurrences.size).to eq(4) expect(security_reports.get_report('dependency_scanning').occurrences.size).to eq(4)
end end
end end
...@@ -236,7 +236,7 @@ describe Ci::Build do ...@@ -236,7 +236,7 @@ describe Ci::Build do
context 'when build has a license management report' do context 'when build has a license management report' do
context 'when there is a license management report' do context 'when there is a license management report' do
before do before do
create(:ee_ci_job_artifact, :license_management_report, job: job, project: job.project) create(:ee_ci_job_artifact, :license_management, job: job, project: job.project)
end end
it 'parses blobs and add the results to the report' do it 'parses blobs and add the results to the report' do
......
ee/spec/models/ci/pipeline_spec.rb
View file @ 21eb572f
...@@ -239,7 +239,7 @@ describe Ci::Pipeline do ...@@ -239,7 +239,7 @@ describe Ci::Pipeline do
it 'returns security reports with collected data grouped as expected' do it 'returns security reports with collected data grouped as expected' do
expect(subject.reports.keys).to contain_exactly('sast', 'dependency_scanning') expect(subject.reports.keys).to contain_exactly('sast', 'dependency_scanning')
expect(subject.get_report('sast').occurrences.size).to eq(6) expect(subject.get_report('sast').occurrences.size).to eq(66)
expect(subject.get_report('dependency_scanning').occurrences.size).to eq(4) expect(subject.get_report('dependency_scanning').occurrences.size).to eq(4)
end end
...@@ -247,7 +247,7 @@ describe Ci::Pipeline do ...@@ -247,7 +247,7 @@ describe Ci::Pipeline do
let(:build_sast_1) { create(:ci_build, :retried, name: 'sast_1', pipeline: pipeline, project: project) } let(:build_sast_1) { create(:ci_build, :retried, name: 'sast_1', pipeline: pipeline, project: project) }
it 'does not take retried builds into account' do it 'does not take retried builds into account' do
expect(subject.get_report('sast').occurrences.size).to eq(3) expect(subject.get_report('sast').occurrences.size).to eq(33)
expect(subject.get_report('dependency_scanning').occurrences.size).to eq(4) expect(subject.get_report('dependency_scanning').occurrences.size).to eq(4)
end end
end end
...@@ -322,7 +322,7 @@ describe Ci::Pipeline do ...@@ -322,7 +322,7 @@ describe Ci::Pipeline do
context 'when pipeline has builds with license_management reports' do context 'when pipeline has builds with license_management reports' do
before do before do
create(:ee_ci_build, :license_management_report, pipeline: pipeline, project: project) create(:ee_ci_build, :license_management, pipeline: pipeline, project: project)
end end
context 'when pipeline status is running' do context 'when pipeline status is running' do
...@@ -350,7 +350,7 @@ describe Ci::Pipeline do ...@@ -350,7 +350,7 @@ describe Ci::Pipeline do
context 'when retried build has license management reports' do context 'when retried build has license management reports' do
before do before do
create(:ee_ci_build, :retried, :license_management_report, pipeline: pipeline, project: project) create(:ee_ci_build, :retried, :license_management, pipeline: pipeline, project: project)
end end
let(:pipeline) { create(:ci_pipeline, :success, project: project) } let(:pipeline) { create(:ci_pipeline, :success, project: project) }
...@@ -367,14 +367,13 @@ describe Ci::Pipeline do ...@@ -367,14 +367,13 @@ describe Ci::Pipeline do
let!(:build_2) { create(:ci_build, :success, name: 'license_management2', pipeline: pipeline, project: project) } let!(:build_2) { create(:ci_build, :success, name: 'license_management2', pipeline: pipeline, project: project) }
before do before do
create(:ee_ci_job_artifact, :license_management_report, job: build_1, project: project) create(:ee_ci_job_artifact, :license_management, job: build_1, project: project)
create(:ee_ci_job_artifact, :license_management_report_2, job: build_2, project: project) create(:ee_ci_job_artifact, :license_management_feature_branch, job: build_2, project: project)
end end
it 'returns a license management report with collected data' do it 'returns a license management report with collected data' do
expect(subject.licenses.count).to be(5) expect(subject.licenses.count).to eq(5)
expect(subject.licenses.any? { |license| license.name == 'WTFPL' } ).to be_truthy expect(subject.licenses.map(&:name)).to include('WTFPL', 'MIT')
expect(subject.licenses.any? { |license| license.name == 'MIT' } ).to be_truthy
end end
context 'when builds are retried' do context 'when builds are retried' do
...@@ -382,14 +381,14 @@ describe Ci::Pipeline do ...@@ -382,14 +381,14 @@ describe Ci::Pipeline do
let!(:build_2) { create(:ci_build, :retried, :success, name: 'license_management2', pipeline: pipeline, project: project) } let!(:build_2) { create(:ci_build, :retried, :success, name: 'license_management2', pipeline: pipeline, project: project) }
it 'does not take retried builds into account' do it 'does not take retried builds into account' do
expect(subject.licenses.count).to be(0) expect(subject.licenses).to be_empty
end end
end end
end end
context 'when pipeline does not have any builds with license management reports' do context 'when pipeline does not have any builds with license management reports' do
it 'returns an empty license management report' do it 'returns an empty license management report' do
expect(subject.licenses.count).to be(0) expect(subject.licenses).to be_empty
end end
end end
end end
......
ee/spec/models/ee/ci/job_artifact_spec.rb
View file @ 21eb572f
...@@ -7,7 +7,7 @@ describe EE::Ci::JobArtifact do ...@@ -7,7 +7,7 @@ describe EE::Ci::JobArtifact do
subject { Ci::JobArtifact.license_management_reports } subject { Ci::JobArtifact.license_management_reports }
context 'when there is a license management report' do context 'when there is a license management report' do
let!(:artifact) { create(:ee_ci_job_artifact, :license_management_report) } let!(:artifact) { create(:ee_ci_job_artifact, :license_management) }
it { is_expected.to eq([artifact]) } it { is_expected.to eq([artifact]) }
end end
......
ee/spec/services/ci/compare_license_management_reports_service_spec.rb
View file @ 21eb572f
...@@ -15,32 +15,32 @@ describe Ci::CompareLicenseManagementReportsService do ...@@ -15,32 +15,32 @@ describe Ci::CompareLicenseManagementReportsService do
it 'reports new licenses' do it 'reports new licenses' do
expect(subject[:status]).to eq(:parsed) expect(subject[:status]).to eq(:parsed)
expect(subject[:data]['new_licenses'].count).to be(4) expect(subject[:data]['new_licenses'].count).to eq(4)
expect(subject[:data]['new_licenses'].any? { |license| license['name'] == 'MIT' } ).to be_truthy expect(subject[:data]['new_licenses']).to include(a_hash_including('name' => 'MIT'))
end end
end end
context 'when base and head pipelines have test reports' do context 'when base and head pipelines have test reports' do
let!(:base_pipeline) { create(:ee_ci_pipeline, :with_license_management_report, project: project) } let!(:base_pipeline) { create(:ee_ci_pipeline, :with_license_management_report, project: project) }
let!(:head_pipeline) { create(:ee_ci_pipeline, :with_license_management_report_2, project: project) } let!(:head_pipeline) { create(:ee_ci_pipeline, :with_license_management_feature_branch, project: project) }
it 'reports status as parsed' do it 'reports status as parsed' do
expect(subject[:status]).to eq(:parsed) expect(subject[:status]).to eq(:parsed)
end end
it 'reports new licenses' do it 'reports new licenses' do
expect(subject[:data]['new_licenses'].count).to be(1) expect(subject[:data]['new_licenses'].count).to eq(1)
expect(subject[:data]['new_licenses'][0]['name']).to eq('WTFPL') expect(subject[:data]['new_licenses']).to include(a_hash_including('name' => 'WTFPL'))
end end
it 'reports existing licenses' do it 'reports existing licenses' do
expect(subject[:data]['existing_licenses'].count).to be(1) expect(subject[:data]['existing_licenses'].count).to eq(1)
expect(subject[:data]['existing_licenses'][0]['name']).to eq('MIT') expect(subject[:data]['existing_licenses']).to include(a_hash_including('name' => 'MIT'))
end end
it 'reports removed licenses' do it 'reports removed licenses' do
expect(subject[:data]['removed_licenses'].count).to be(3) expect(subject[:data]['removed_licenses'].count).to eq(3)
expect(subject[:data]['removed_licenses'].any? { |license| license['name'] == 'New BSD' } ).to be_truthy expect(subject[:data]['removed_licenses']).to include(a_hash_including('name' => 'New BSD'))
end end
end end
......
ee/spec/services/security/store_report_service_spec.rb
View file @ 21eb572f
...@@ -18,7 +18,7 @@ describe Security::StoreReportService, '#execute' do ...@@ -18,7 +18,7 @@ describe Security::StoreReportService, '#execute' do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
where(:case_name, :report_type, :scanners, :identifiers, :occurrences, :occurrence_identifiers, :occurrence_pipelines) do where(:case_name, :report_type, :scanners, :identifiers, :occurrences, :occurrence_identifiers, :occurrence_pipelines) do
'with SAST report' | :sast | 3 | 4 | 3 | 5 | 3 'with SAST report' | :sast | 3 | 14 | 33 | 35 | 33
'with Dependency Scanning report' | :dependency_scanning | 2 | 7 | 4 | 7 | 4 'with Dependency Scanning report' | :dependency_scanning | 2 | 7 | 4 | 7 | 4
end end
...@@ -46,8 +46,8 @@ describe Security::StoreReportService, '#execute' do ...@@ -46,8 +46,8 @@ describe Security::StoreReportService, '#execute' do
end end
context 'with existing data from previous pipeline' do context 'with existing data from previous pipeline' do
let(:scanner) { create(:vulnerabilities_scanner, project: project, external_id: 'find_sec_bugs', name: 'existing_name') } let(:scanner) { create(:vulnerabilities_scanner, project: project, external_id: 'bandit', name: 'Bandit') }
let(:identifier) { create(:vulnerabilities_identifier, project: project, fingerprint: 'f5724386167705667ae25a1390c0a516020690ba') } let(:identifier) { create(:vulnerabilities_identifier, project: project, fingerprint: 'e6dd15eda2137be0034977a85b300a94a4f243a3') }
let!(:new_artifact) { create(:ee_ci_job_artifact, :sast, job: new_build) } let!(:new_artifact) { create(:ee_ci_job_artifact, :sast, job: new_build) }
let(:new_build) { create(:ci_build, pipeline: new_pipeline) } let(:new_build) { create(:ci_build, pipeline: new_pipeline) }
let(:new_pipeline) { create(:ci_pipeline, project: project) } let(:new_pipeline) { create(:ci_pipeline, project: project) }
...@@ -61,7 +61,7 @@ describe Security::StoreReportService, '#execute' do ...@@ -61,7 +61,7 @@ describe Security::StoreReportService, '#execute' do
primary_identifier: identifier, primary_identifier: identifier,
scanner: scanner, scanner: scanner,
project: project, project: project,
location_fingerprint: '6b6bb283d43cc510d7d1e73e2882b3652cb34bd5') location_fingerprint: 'd869ba3f0b3347eb2749135a437dc07c8ae0f420')
end end
subject { described_class.new(new_pipeline, new_report).execute } subject { described_class.new(new_pipeline, new_report).execute }
...@@ -71,15 +71,15 @@ describe Security::StoreReportService, '#execute' do ...@@ -71,15 +71,15 @@ describe Security::StoreReportService, '#execute' do
end end
it 'inserts only new identifiers and reuse existing ones' do it 'inserts only new identifiers and reuse existing ones' do
expect { subject }.to change { Vulnerabilities::Identifier.count }.by(3) expect { subject }.to change { Vulnerabilities::Identifier.count }.by(13)
end end
it 'inserts only new occurrences and reuse existing ones' do it 'inserts only new occurrences and reuse existing ones' do
expect { subject }.to change { Vulnerabilities::Occurrence.count }.by(2) expect { subject }.to change { Vulnerabilities::Occurrence.count }.by(32)
end end
it 'inserts all occurrence pipelines (join model) for this new pipeline' do it 'inserts all occurrence pipelines (join model) for this new pipeline' do
expect { subject }.to change { Vulnerabilities::OccurrencePipeline.where(pipeline: new_pipeline).count }.by(3) expect { subject }.to change { Vulnerabilities::OccurrencePipeline.where(pipeline: new_pipeline).count }.by(33)
end end
end end
......
spec/fixtures/security-reports/deprecated/gl-dependency-scanning-report.json 0 → 100644
View file @ 21eb572f
[
{
"category": "dependency_scanning",
"name": "io.netty/netty - CVE-2014-3488",
"message": "DoS by CPU exhaustion when using malicious SSL packets",
"cve": "app/pom.xml:io.netty/netty@3.9.1.Final:CVE-2014-3488",
"severity": "Unknown",
"solution": "Upgrade to the latest version",
"scanner": {
"id": "gemnasium",
"name": "Gemnasium"
},
"location": {
"file": "app/pom.xml",
"dependency": {
"package": {
"name": "io.netty/netty"
},
"version": "3.9.1.Final"
}
},
"identifiers": [
{
"type": "gemnasium",
"name": "Gemnasium-d1bf36d9-9f07-46cd-9cfc-8675338ada8f",
"value": "d1bf36d9-9f07-46cd-9cfc-8675338ada8f",
"url": "https://deps.sec.gitlab.com/packages/maven/io.netty/netty/versions/3.9.1.Final/advisories"
},
{
"type": "cve",
"name": "CVE-2014-3488",
"value": "CVE-2014-3488",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3488"
}
],
"links": [
{
"url": "https://bugzilla.redhat.com/CVE-2014-3488"
},
{
"url": "http://netty.io/news/2014/06/11/3.html"
},
{
"url": "https://github.com/netty/netty/issues/2562"
}
],
"priority": "Unknown",
"file": "app/pom.xml",
"url": "https://bugzilla.redhat.com/CVE-2014-3488",
"tool": "gemnasium"
},
{
"category": "dependency_scanning",
"name": "Django - CVE-2017-12794",
"message": "Possible XSS in traceback section of technical 500 debug page",
"cve": "app/requirements.txt:Django@1.11.3:CVE-2017-12794",
"severity": "Unknown",
"solution": "Upgrade to latest version or apply patch.",
"scanner": {
"id": "gemnasium",
"name": "Gemnasium"
},
"location": {
"file": "app/requirements.txt",
"dependency": {
"package": {
"name": "Django"
},
"version": "1.11.3"
}
},
"identifiers": [
{
"type": "gemnasium",
"name": "Gemnasium-6162a015-8635-4a15-8d7c-dc9321db366f",
"value": "6162a015-8635-4a15-8d7c-dc9321db366f",
"url": "https://deps.sec.gitlab.com/packages/pypi/Django/versions/1.11.3/advisories"
},
{
"type": "cve",
"name": "CVE-2017-12794",
"value": "CVE-2017-12794",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12794"
}
],
"links": [
{
"url": "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/"
}
],
"priority": "Unknown",
"file": "app/requirements.txt",
"url": "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/",
"tool": "gemnasium"
},
{
"category": "dependency_scanning",
"name": "nokogiri - USN-3424-1",
"message": "Vulnerabilities in libxml2",
"cve": "rails/Gemfile.lock:nokogiri@1.8.0:USN-3424-1",
"severity": "Unknown",
"solution": "Upgrade to latest version.",
"scanner": {
"id": "gemnasium",
"name": "Gemnasium"
},
"location": {
"file": "rails/Gemfile.lock",
"dependency": {
"package": {
"name": "nokogiri"
},
"version": "1.8.0"
}
},
"identifiers": [
{
"type": "gemnasium",
"name": "Gemnasium-06565b64-486d-4326-b906-890d9915804d",
"value": "06565b64-486d-4326-b906-890d9915804d",
"url": "https://deps.sec.gitlab.com/packages/gem/nokogiri/versions/1.8.0/advisories"
},
{
"type": "usn",
"name": "USN-3424-1",
"value": "USN-3424-1",
"url": "https://usn.ubuntu.com/3424-1/"
}
],
"links": [
{
"url": "https://github.com/sparklemotion/nokogiri/issues/1673"
}
],
"priority": "Unknown",
"file": "rails/Gemfile.lock",
"url": "https://github.com/sparklemotion/nokogiri/issues/1673",
"tool": "gemnasium"
},
{
"category": "dependency_scanning",
"name": "ffi - CVE-2018-1000201",
"message": "ruby-ffi DDL loading issue on Windows OS",
"cve": "ffi:1.9.18:CVE-2018-1000201",
"severity": "High",
"solution": "upgrade to \u003e= 1.9.24",
"scanner": {
"id": "bundler_audit",
"name": "bundler-audit"
},
"location": {
"file": "sast-sample-rails/Gemfile.lock",
"dependency": {
"package": {
"name": "ffi"
},
"version": "1.9.18"
}
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2018-1000201",
"value": "CVE-2018-1000201",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000201"
}
],
"links": [
{
"url": "https://github.com/ffi/ffi/releases/tag/1.9.24"
}
],
"priority": "High",
"file": "sast-sample-rails/Gemfile.lock",
"url": "https://github.com/ffi/ffi/releases/tag/1.9.24",
"tool": "bundler_audit"
}
]
spec/fixtures/security-reports/deprecated/gl-sast-report.json 0 → 100644
View file @ 21eb572f
[
{
"category": "sast",
"message": "Probable insecure usage of temp file/directory.",
"cve": "python/hardcoded/hardcoded-tmp.py:52865813c884a507be1f152d654245af34aba8a391626d01f1ab6d3f52ec8779:B108",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-tmp.py",
"start_line": 1,
"end_line": 1
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
}
],
"priority": "Medium",
"file": "python/hardcoded/hardcoded-tmp.py",
"line": 1,
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html",
"tool": "bandit"
},
{
"category": "sast",
"name": "Predictable pseudorandom number generator",
"message": "Predictable pseudorandom number generator",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:47:PREDICTABLE_RANDOM",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 47,
"end_line": 47,
"class": "com.gitlab.security_products.tests.App",
"method": "generateSecretToken2"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-PREDICTABLE_RANDOM",
"value": "PREDICTABLE_RANDOM",
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 47,
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"name": "Predictable pseudorandom number generator",
"message": "Predictable pseudorandom number generator",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:41:PREDICTABLE_RANDOM",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 41,
"end_line": 41,
"class": "com.gitlab.security_products.tests.App",
"method": "generateSecretToken1"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-PREDICTABLE_RANDOM",
"value": "PREDICTABLE_RANDOM",
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 41,
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:cb203b465dffb0cb3a8e8bd8910b84b93b0a5995a938e4b903dbb0cd6ffa1254:B303",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 11,
"end_line": 11
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 11,
"tool": "bandit"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:a7173c43ae66bd07466632d819d450e0071e02dbf782763640d1092981f9631b:B303",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 12,
"end_line": 12
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 12,
"tool": "bandit"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:017017b77deb0b8369b6065947833eeea752a92ec8a700db590fece3e934cf0d:B303",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 13,
"end_line": 13
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 13,
"tool": "bandit"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:45fc8c53aea7b84f06bc4e590cc667678d6073c4c8a1d471177ca2146fb22db2:B303",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 14,
"end_line": 14
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 14,
"tool": "bandit"
},
{
"category": "sast",
"message": "Pickle library appears to be in use, possible security issue.",
"cve": "python/imports/imports-aliases.py:5f200d47291e7bbd8352db23019b85453ca048dd98ea0c291260fa7d009963a4:B301",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 15,
"end_line": 15
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B301",
"value": "B301"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 15,
"tool": "bandit"
},
{
"category": "sast",
"name": "ECB mode is insecure",
"message": "ECB mode is insecure",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:29:ECB_MODE",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 29,
"end_line": 29,
"class": "com.gitlab.security_products.tests.App",
"method": "insecureCypher"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-ECB_MODE",
"value": "ECB_MODE",
"url": "https://find-sec-bugs.github.io/bugs.htm#ECB_MODE"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 29,
"url": "https://find-sec-bugs.github.io/bugs.htm#ECB_MODE",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"name": "Cipher with no integrity",
"message": "Cipher with no integrity",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:29:CIPHER_INTEGRITY",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 29,
"end_line": 29,
"class": "com.gitlab.security_products.tests.App",
"method": "insecureCypher"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-CIPHER_INTEGRITY",
"value": "CIPHER_INTEGRITY",
"url": "https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 29,
"url": "https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"message": "Probable insecure usage of temp file/directory.",
"cve": "python/hardcoded/hardcoded-tmp.py:63dd4d626855555b816985d82c4614a790462a0a3ada89dc58eb97f9c50f3077:B108",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-tmp.py",
"start_line": 14,
"end_line": 14
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
}
],
"priority": "Medium",
"file": "python/hardcoded/hardcoded-tmp.py",
"line": 14,
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Probable insecure usage of temp file/directory.",
"cve": "python/hardcoded/hardcoded-tmp.py:4ad6d4c40a8c263fc265f3384724014e0a4f8dd6200af83e51ff120420038031:B108",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-tmp.py",
"start_line": 10,
"end_line": 10
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
}
],
"priority": "Medium",
"file": "python/hardcoded/hardcoded-tmp.py",
"line": 10,
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with Popen module.",
"cve": "python/imports/imports-aliases.py:2c3e1fa1e54c3c6646e8bcfaee2518153c6799b77587ff8d9a7b0631f6d34785:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 1,
"end_line": 1
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-aliases.py",
"line": 1,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with pickle module.",
"cve": "python/imports/imports.py:af58d07f6ad519ef5287fcae65bf1a6999448a1a3a8bc1ac2a11daa80d0b96bf:B403",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports.py",
"start_line": 2,
"end_line": 2
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B403",
"value": "B403"
}
],
"priority": "Low",
"file": "python/imports/imports.py",
"line": 2,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with subprocess module.",
"cve": "python/imports/imports.py:8de9bc98029d212db530785a5f6780cfa663548746ff228ab8fa96c5bb82f089:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports.py",
"start_line": 4,
"end_line": 4
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports.py",
"line": 4,
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'blerg'",
"cve": "python/hardcoded/hardcoded-passwords.py:97c30f1d76d2a88913e3ce9ae74087874d740f87de8af697a9c455f01119f633:B106",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 22,
"end_line": 22
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B106",
"value": "B106",
"url": "https://docs.openstack.org/bandit/latest/plugins/b106_hardcoded_password_funcarg.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 22,
"url": "https://docs.openstack.org/bandit/latest/plugins/b106_hardcoded_password_funcarg.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'root'",
"cve": "python/hardcoded/hardcoded-passwords.py:7431c73a0bc16d94ece2a2e75ef38f302574d42c37ac0c3c38ad0b3bf8a59f10:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 5,
"end_line": 5
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 5,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: ''",
"cve": "python/hardcoded/hardcoded-passwords.py:d2d1857c27caedd49c57bfbcdc23afcc92bd66a22701fcdc632869aab4ca73ee:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 9,
"end_line": 9
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 9,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'ajklawejrkl42348swfgkg'",
"cve": "python/hardcoded/hardcoded-passwords.py:fb3866215a61393a5c9c32a3b60e2058171a23219c353f722cbd3567acab21d2:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 13,
"end_line": 13
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 13,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'blerg'",
"cve": "python/hardcoded/hardcoded-passwords.py:63c62a8b7e1e5224439bd26b28030585ac48741e28ca64561a6071080c560a5f:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 23,
"end_line": 23
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 23,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'blerg'",
"cve": "python/hardcoded/hardcoded-passwords.py:4311b06d08df8fa58229b341c531da8e1a31ec4520597bdff920cd5c098d86f9:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 24,
"end_line": 24
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 24,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with subprocess module.",
"cve": "python/imports/imports-function.py:5858400c2f39047787702de44d03361ef8d954c9d14bd54ee1c2bef9e6a7df93:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-function.py",
"start_line": 4,
"end_line": 4
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-function.py",
"line": 4,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with pickle module.",
"cve": "python/imports/imports-function.py:dbda3cf4190279d30e0aad7dd137eca11272b0b225e8af4e8bf39682da67d956:B403",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-function.py",
"start_line": 2,
"end_line": 2
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B403",
"value": "B403"
}
],
"priority": "Low",
"file": "python/imports/imports-function.py",
"line": 2,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with Popen module.",
"cve": "python/imports/imports-from.py:eb8a0db9cd1a8c1ab39a77e6025021b1261cc2a0b026b2f4a11fca4e0636d8dd:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-from.py",
"start_line": 7,
"end_line": 7
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-from.py",
"line": 7,
"tool": "bandit"
},
{
"category": "sast",
"message": "subprocess call with shell=True seems safe, but may be changed in the future, consider rewriting without shell",
"cve": "python/imports/imports-aliases.py:f99f9721e27537fbcb6699a4cf39c6740d6234d2c6f06cfc2d9ea977313c483d:B602",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 9,
"end_line": 9
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B602",
"value": "B602",
"url": "https://docs.openstack.org/bandit/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html"
}
],
"priority": "Low",
"file": "python/imports/imports-aliases.py",
"line": 9,
"url": "https://docs.openstack.org/bandit/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with subprocess module.",
"cve": "python/imports/imports-from.py:332a12ab1146698f614a905ce6a6a5401497a12281aef200e80522711c69dcf4:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-from.py",
"start_line": 6,
"end_line": 6
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-from.py",
"line": 6,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with Popen module.",
"cve": "python/imports/imports-from.py:0a48de4a3d5348853a03666cb574697e3982998355e7a095a798bd02a5947276:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-from.py",
"start_line": 1,
"end_line": 2
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-from.py",
"line": 1,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with pickle module.",
"cve": "python/imports/imports-aliases.py:51b71661dff994bde3529639a727a678c8f5c4c96f00d300913f6d5be1bbdf26:B403",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 7,
"end_line": 8
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B403",
"value": "B403"
}
],
"priority": "Low",
"file": "python/imports/imports-aliases.py",
"line": 7,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with loads module.",
"cve": "python/imports/imports-aliases.py:6ff02aeb3149c01ab68484d794a94f58d5d3e3bb0d58557ef4153644ea68ea54:B403",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 6,
"end_line": 6
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B403",
"value": "B403"
}
],
"priority": "Low",
"file": "python/imports/imports-aliases.py",
"line": 6,
"tool": "bandit"
},
{
"category": "sast",
"message": "Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120)",
"cve": "c/subdir/utils.c:b466873101951fe96e1332f6728eb7010acbbd5dfc3b65d7d53571d091a06d9e:CWE-119!/CWE-120",
"confidence": "Low",
"solution": "Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length",
"scanner": {
"id": "flawfinder",
"name": "Flawfinder"
},
"location": {
"file": "c/subdir/utils.c",
"start_line": 4
},
"identifiers": [
{
"type": "cwe",
"name": "CWE-119",
"value": "119",
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"type": "cwe",
"name": "CWE-120",
"value": "120",
"url": "https://cwe.mitre.org/data/definitions/120.html"
}
],
"file": "c/subdir/utils.c",
"line": 4,
"url": "https://cwe.mitre.org/data/definitions/119.html",
"tool": "flawfinder"
},
{
"category": "sast",
"message": "Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362)",
"cve": "c/subdir/utils.c:bab681140fcc8fc3085b6bba74081b44ea145c1c98b5e70cf19ace2417d30770:CWE-362",
"confidence": "Low",
"scanner": {
"id": "flawfinder",
"name": "Flawfinder"
},
"location": {
"file": "c/subdir/utils.c",
"start_line": 8
},
"identifiers": [
{
"type": "cwe",
"name": "CWE-362",
"value": "362",
"url": "https://cwe.mitre.org/data/definitions/362.html"
}
],
"file": "c/subdir/utils.c",
"line": 8,
"url": "https://cwe.mitre.org/data/definitions/362.html",
"tool": "flawfinder"
},
{
"category": "sast",
"message": "Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120)",
"cve": "cplusplus/src/hello.cpp:c8c6dd0afdae6814194cf0930b719f757ab7b379cf8f261e7f4f9f2f323a818a:CWE-119!/CWE-120",
"confidence": "Low",
"solution": "Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length",
"scanner": {
"id": "flawfinder",
"name": "Flawfinder"
},
"location": {
"file": "cplusplus/src/hello.cpp",
"start_line": 6
},
"identifiers": [
{
"type": "cwe",
"name": "CWE-119",
"value": "119",
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"type": "cwe",
"name": "CWE-120",
"value": "120",
"url": "https://cwe.mitre.org/data/definitions/120.html"
}
],
"file": "cplusplus/src/hello.cpp",
"line": 6,
"url": "https://cwe.mitre.org/data/definitions/119.html",
"tool": "flawfinder"
},
{
"category": "sast",
"message": "Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120)",
"cve": "cplusplus/src/hello.cpp:331c04062c4fe0c7c486f66f59e82ad146ab33cdd76ae757ca41f392d568cbd0:CWE-120",
"confidence": "Low",
"solution": "Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)",
"scanner": {
"id": "flawfinder",
"name": "Flawfinder"
},
"location": {
"file": "cplusplus/src/hello.cpp",
"start_line": 7
},
"identifiers": [
{
"type": "cwe",
"name": "CWE-120",
"value": "120",
"url": "https://cwe.mitre.org/data/definitions/120.html"
}
],
"file": "cplusplus/src/hello.cpp",
"line": 7,
"url": "https://cwe.mitre.org/data/definitions/120.html",
"tool": "flawfinder"
}
]
spec/fixtures/security-reports/feature-branch/gl-dependency-scanning-report.json
View file @ 21eb572f
[ {
"version": "1.3",
"vulnerabilities": [
{ {
"category": "dependency_scanning", "category": "dependency_scanning",
"name": "io.netty/netty - CVE-2014-3488", "name": "io.netty/netty - CVE-2014-3488",
...@@ -175,4 +177,5 @@ ...@@ -175,4 +177,5 @@
"url": "https://github.com/ffi/ffi/releases/tag/1.9.24", "url": "https://github.com/ffi/ffi/releases/tag/1.9.24",
"tool": "bundler_audit" "tool": "bundler_audit"
} }
] ]
}
spec/fixtures/security-reports/feature-branch/gl-license-management-report.json
View file @ 21eb572f
{ {
"licenses": [ "licenses": [
{ {
"count": 13, "count": 1,
"name": "MIT" "name": "WTFPL"
},
{
"count": 2,
"name": "New BSD"
}, },
{ {
"count": 1, "count": 1,
"name": "LGPL" "name": "MIT"
} }
], ],
"dependencies": [ "dependencies": [
...@@ -20,107 +16,9 @@ ...@@ -20,107 +16,9 @@
"url": "http://opensource.org/licenses/mit-license" "url": "http://opensource.org/licenses/mit-license"
}, },
"dependency": { "dependency": {
"name": "bundler", "name": "actioncable",
"url": "http://bundler.io", "url": "http://rubyonrails.org",
"description": "The best way to manage your application's dependencies", "description": "WebSocket framework for Rails.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "concurrent-ruby",
"url": "http://www.concurrent-ruby.com",
"description": "Modern concurrency tools for Ruby. Inspired by Erlang, Clojure, Scala, Haskell, F#, C#, Java, and classic concurrency patterns.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "connection_pool",
"url": "https://github.com/mperham/connection_pool",
"description": "Generic connection pool for Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "mini_portile2",
"url": "http://github.com/flavorjones/mini_portile",
"description": "Simplistic port-like solution for developers",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "mustermann",
"url": "https://github.com/sinatra/mustermann",
"description": "Your personal string matching expert.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "nokogiri",
"url": "http://nokogiri.org",
"description": "Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser",
"pathes": [
"."
]
}
},
{
"license": {
"name": "New BSD",
"url": "http://opensource.org/licenses/BSD-3-Clause"
},
"dependency": {
"name": "pg",
"url": "https://bitbucket.org/ged/ruby-pg",
"description": "Pg is the Ruby interface to the {PostgreSQL RDBMS}[http://www.postgresql.org/]",
"pathes": [
"."
]
}
},
{
"license": {
"name": "New BSD",
"url": "http://opensource.org/licenses/BSD-3-Clause"
},
"dependency": {
"name": "puma",
"url": "http://puma.io",
"description": "Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications",
"pathes": [ "pathes": [
"." "."
] ]
...@@ -128,111 +26,13 @@ ...@@ -128,111 +26,13 @@
}, },
{ {
"license": { "license": {
"name": "MIT", "name": "WTFPL",
"url": "http://opensource.org/licenses/mit-license" "url": "http://www.wtfpl.net/"
},
"dependency": {
"name": "rack",
"url": "https://rack.github.io/",
"description": "a modular Ruby webserver interface",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rack-protection",
"url": "http://github.com/sinatra/sinatra/tree/master/rack-protection",
"description": "Protect against typical web attacks, works with all Rack apps, including Rails.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "redis",
"url": "https://github.com/redis/redis-rb",
"description": "A Ruby client library for Redis",
"pathes": [
"."
]
}
},
{
"license": {
"name": "LGPL",
"url": "http://www.gnu.org/licenses/lgpl.txt"
},
"dependency": {
"name": "sidekiq",
"url": "http://sidekiq.org",
"description": "Simple, efficient background processing for Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "sinatra",
"url": "http://www.sinatrarb.com/",
"description": "Classy web-development dressed in a DSL",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "slim",
"url": "http://slim-lang.com/",
"description": "Slim is a template language.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "temple",
"url": "https://github.com/judofyr/temple",
"description": "Template compilation framework in Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
}, },
"dependency": { "dependency": {
"name": "tilt", "name": "wtfpl_init",
"url": "http://github.com/rtomayko/tilt/", "url": "https://rubygems.org/gems/wtfpl_init",
"description": "Generic interface to multiple Ruby template engines", "description": "Download WTFPL license file and rename to LICENSE.md or something",
"pathes": [ "pathes": [
"." "."
] ]
......
spec/fixtures/security-reports/feature-branch/gl-sast-report.json
View file @ 21eb572f
[ {
"version": "1.2",
"vulnerabilities": [
{ {
"category": "sast", "category": "sast",
"message": "Probable insecure usage of temp file/directory.", "message": "Probable insecure usage of temp file/directory.",
...@@ -941,4 +943,5 @@ ...@@ -941,4 +943,5 @@
"url": "https://cwe.mitre.org/data/definitions/120.html", "url": "https://cwe.mitre.org/data/definitions/120.html",
"tool": "flawfinder" "tool": "flawfinder"
} }
] ]
}
spec/fixtures/security-reports/master/gl-dependency-scanning-report.json
View file @ 21eb572f
[ {
"version": "1.3",
"vulnerabilities": [
{ {
"category": "dependency_scanning", "category": "dependency_scanning",
"name": "io.netty/netty - CVE-2014-3488", "name": "io.netty/netty - CVE-2014-3488",
...@@ -175,4 +177,5 @@ ...@@ -175,4 +177,5 @@
"url": "https://github.com/ffi/ffi/releases/tag/1.9.24", "url": "https://github.com/ffi/ffi/releases/tag/1.9.24",
"tool": "bundler_audit" "tool": "bundler_audit"
} }
] ]
}
spec/fixtures/security-reports/master/gl-license-management-report.json
View file @ 21eb572f
{ {
"licenses": [ "licenses": [
{ {
"count": 10, "count": 52,
"name": "MIT" "name": "MIT"
},
{
"count": 3,
"name": "New BSD"
},
{
"count": 1,
"name": "Apache 2.0"
},
{
"count": 1,
"name": "unknown"
}
],
"dependencies": [
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "actioncable",
"url": "http://rubyonrails.org",
"description": "WebSocket framework for Rails.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "actionmailer",
"url": "http://rubyonrails.org",
"description": "Email composition, delivery, and receiving framework (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "actionpack",
"url": "http://rubyonrails.org",
"description": "Web-flow and rendering framework putting the VC in MVC (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "actionview",
"url": "http://rubyonrails.org",
"description": "Rendering framework putting the V in MVC (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "activejob",
"url": "http://rubyonrails.org",
"description": "Job framework with pluggable queues.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "activemodel",
"url": "http://rubyonrails.org",
"description": "A toolkit for building modeling frameworks (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "activerecord",
"url": "http://rubyonrails.org",
"description": "Object-relational mapper framework (part of Rails).",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "activesupport",
"url": "http://rubyonrails.org",
"description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "arel",
"url": "https://github.com/rails/arel",
"description": "Arel Really Exasperates Logicians Arel is a SQL AST manager for Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "builder",
"url": "http://onestepback.org",
"description": "Builders for MarkUp.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "bundler",
"url": "http://bundler.io",
"description": "The best way to manage your application's dependencies",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "coffee-rails",
"url": "https://github.com/rails/coffee-rails",
"description": "CoffeeScript adapter for the Rails asset pipeline.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "coffee-script",
"url": "http://github.com/josh/ruby-coffee-script",
"description": "Ruby CoffeeScript Compiler",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "coffee-script-source",
"url": "http://coffeescript.org",
"description": "The CoffeeScript Compiler",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "concurrent-ruby",
"url": "http://www.concurrent-ruby.com",
"description": "Modern concurrency tools for Ruby. Inspired by Erlang, Clojure, Scala, Haskell, F#, C#, Java, and classic concurrency patterns.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "crass",
"url": "https://github.com/rgrove/crass/",
"description": "CSS parser based on the CSS Syntax Level 3 spec.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "erubis",
"url": "http://www.kuwata-lab.com/erubis/",
"description": "a fast and extensible eRuby implementation which supports multi-language",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "execjs",
"url": "https://github.com/rails/execjs",
"description": "Run JavaScript code from Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "New BSD",
"url": "http://opensource.org/licenses/BSD-3-Clause"
},
"dependency": {
"name": "ffi",
"url": "http://wiki.github.com/ffi/ffi",
"description": "Ruby FFI",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "globalid",
"url": "http://www.rubyonrails.org",
"description": "Refer to any model with a URI: gid://app/class/id",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "i18n",
"url": "http://github.com/svenfuchs/i18n",
"description": "New wave Internationalization support for Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "jbuilder",
"url": "https://github.com/rails/jbuilder",
"description": "Create JSON structures via a Builder-style DSL",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "loofah",
"description": "",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "mail",
"url": "https://github.com/mikel/mail",
"description": "Mail provides a nice Ruby DSL for making, sending and reading emails.",
"pathes": [
"."
]
} }
], },
"dependencies": [ {
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "method_source",
"url": "http://banisterfiend.wordpress.com",
"description": "retrieve the sourcecode for a method",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "mini_mime",
"url": "https://github.com/discourse/mini_mime",
"description": "A lightweight mime type lookup toy",
"pathes": [
"."
]
}
},
{ {
"license": { "license": {
"name": "MIT", "name": "MIT",
...@@ -26,9 +401,37 @@ ...@@ -26,9 +401,37 @@
"url": "http://opensource.org/licenses/mit-license" "url": "http://opensource.org/licenses/mit-license"
}, },
"dependency": { "dependency": {
"name": "mustermann", "name": "minitest",
"url": "https://github.com/sinatra/mustermann", "url": "https://github.com/seattlerb/minitest",
"description": "Your personal string matching expert.", "description": "minitest provides a complete suite of testing facilities supporting TDD, BDD, mocking, and benchmarking",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "multi_json",
"url": "http://github.com/intridea/multi_json",
"description": "A common interface to multiple JSON libraries.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "nio4r",
"url": "https://github.com/celluloid/nio4r",
"description": "NIO provides a high performance selector API for monitoring IO objects",
"pathes": [ "pathes": [
"." "."
] ]
...@@ -48,6 +451,20 @@ ...@@ -48,6 +451,20 @@
] ]
} }
}, },
{
"license": {
"name": "New BSD",
"url": "http://opensource.org/licenses/BSD-3-Clause"
},
"dependency": {
"name": "puma",
"url": "http://puma.io",
"description": "Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications",
"pathes": [
"."
]
}
},
{ {
"license": { "license": {
"name": "MIT", "name": "MIT",
...@@ -68,9 +485,147 @@ ...@@ -68,9 +485,147 @@
"url": "http://opensource.org/licenses/mit-license" "url": "http://opensource.org/licenses/mit-license"
}, },
"dependency": { "dependency": {
"name": "rack-protection", "name": "rack-test",
"url": "http://github.com/sinatra/sinatra/tree/master/rack-protection", "url": "http://github.com/brynary/rack-test",
"description": "Protect against typical web attacks, works with all Rack apps, including Rails.", "description": "Simple testing API built on Rack",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rails",
"url": "http://rubyonrails.org",
"description": "Full-stack web application framework.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rails-dom-testing",
"url": "https://github.com/rails/rails-dom-testing",
"description": "Dom and Selector assertions for Rails applications",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rails-html-sanitizer",
"url": "https://github.com/rails/rails-html-sanitizer",
"description": "This gem is responsible to sanitize HTML fragments in Rails applications.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "railties",
"url": "http://rubyonrails.org",
"description": "Tools for creating, working with, and running Rails applications.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rake",
"url": "https://github.com/ruby/rake",
"description": "Rake is a Make-like program implemented in Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rb-fsevent",
"url": "http://rubygems.org/gems/rb-fsevent",
"description": "Very simple & usable FSEvents API",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rb-inotify",
"url": "https://github.com/guard/rb-inotify",
"description": "A Ruby wrapper for Linux inotify, using FFI",
"pathes": [
"."
]
}
},
{
"license": {
"name": "unknown"
},
"dependency": {
"name": "ruby-bundler-rails",
"description": "",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "sass",
"url": "http://sass-lang.com/",
"description": "A powerful but elegant CSS compiler that makes CSS fun again.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "sass-listen",
"url": "https://github.com/sass/listen",
"description": "Fork of guard/listen",
"pathes": [ "pathes": [
"." "."
] ]
...@@ -82,9 +637,9 @@ ...@@ -82,9 +637,9 @@
"url": "http://opensource.org/licenses/mit-license" "url": "http://opensource.org/licenses/mit-license"
}, },
"dependency": { "dependency": {
"name": "redis", "name": "sass-rails",
"url": "https://github.com/redis/redis-rb", "url": "https://github.com/rails/sass-rails",
"description": "A Ruby client library for Redis", "description": "Sass adapter for the Rails asset pipeline.",
"pathes": [ "pathes": [
"." "."
] ]
...@@ -96,9 +651,9 @@ ...@@ -96,9 +651,9 @@
"url": "http://opensource.org/licenses/mit-license" "url": "http://opensource.org/licenses/mit-license"
}, },
"dependency": { "dependency": {
"name": "sinatra", "name": "sprockets",
"url": "http://www.sinatrarb.com/", "url": "https://github.com/rails/sprockets",
"description": "Classy web-development dressed in a DSL", "description": "Rack-based asset packaging system",
"pathes": [ "pathes": [
"." "."
] ]
...@@ -110,9 +665,23 @@ ...@@ -110,9 +665,23 @@
"url": "http://opensource.org/licenses/mit-license" "url": "http://opensource.org/licenses/mit-license"
}, },
"dependency": { "dependency": {
"name": "slim", "name": "sprockets-rails",
"url": "http://slim-lang.com/", "url": "https://github.com/rails/sprockets-rails",
"description": "Slim is a template language.", "description": "Sprockets Rails integration",
"pathes": [
"."
]
}
},
{
"license": {
"name": "New BSD",
"url": "http://opensource.org/licenses/BSD-3-Clause"
},
"dependency": {
"name": "sqlite3",
"url": "https://github.com/sparklemotion/sqlite3-ruby",
"description": "This module allows Ruby programs to interface with the SQLite3 database engine (http://www.sqlite.org)",
"pathes": [ "pathes": [
"." "."
] ]
...@@ -124,9 +693,23 @@ ...@@ -124,9 +693,23 @@
"url": "http://opensource.org/licenses/mit-license" "url": "http://opensource.org/licenses/mit-license"
}, },
"dependency": { "dependency": {
"name": "temple", "name": "thor",
"url": "https://github.com/judofyr/temple", "url": "http://whatisthor.com/",
"description": "Template compilation framework in Ruby", "description": "Thor is a toolkit for building powerful command-line interfaces.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "Apache 2.0",
"url": "http://www.apache.org/licenses/LICENSE-2.0.txt"
},
"dependency": {
"name": "thread_safe",
"url": "https://github.com/ruby-concurrency/thread_safe",
"description": "Thread-safe collections and utilities for Ruby",
"pathes": [ "pathes": [
"." "."
] ]
...@@ -145,6 +728,90 @@ ...@@ -145,6 +728,90 @@
"." "."
] ]
} }
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "turbolinks",
"url": "https://github.com/turbolinks/turbolinks",
"description": "Turbolinks makes navigating your web application faster",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "turbolinks-source",
"url": "https://github.com/turbolinks/turbolinks-source-gem",
"description": "Turbolinks JavaScript assets",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "tzinfo",
"url": "http://tzinfo.github.io",
"description": "Daylight savings aware timezone library",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "uglifier",
"url": "http://github.com/lautis/uglifier",
"description": "Ruby wrapper for UglifyJS JavaScript compressor",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "websocket-driver",
"url": "http://github.com/faye/websocket-driver-ruby",
"description": "WebSocket protocol handler with pluggable I/O",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "websocket-extensions",
"url": "https://github.com/faye/websocket-extensions-ruby",
"description": "Generic extension manager for WebSocket connections",
"pathes": [
"."
]
}
} }
] ]
} }
spec/fixtures/security-reports/master/gl-sast-report.json
View file @ 21eb572f
[ {
"version": "1.2",
"vulnerabilities": [
{ {
"category": "sast", "category": "sast",
"message": "Probable insecure usage of temp file/directory.", "message": "Probable insecure usage of temp file/directory.",
...@@ -941,4 +943,5 @@ ...@@ -941,4 +943,5 @@
"url": "https://cwe.mitre.org/data/definitions/120.html", "url": "https://cwe.mitre.org/data/definitions/120.html",
"tool": "flawfinder" "tool": "flawfinder"
} }
] ]
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7