Merge branch '255936_limit_the_number_of_saved_vulnerability_identifiers' into 'master'

Limit the number of saved vulnerability identifiers See merge request gitlab-org/gitlab!45521

Merge branch '255936_limit_the_number_of_saved_vulnerability_identifiers' into 'master'
Limit the number of saved vulnerability identifiers See merge request gitlab-org/gitlab!45521
27b846a5 · Mark Chao · 7dbc73af · d7f2a35c · 27b846a5 · 27b846a5
Commit 27b846a5 authored Oct 20, 2020 by Mark Chao
6 changed files
--- a/doc/development/integrations/secure.md
+++ b/doc/development/integrations/secure.md
@@ -384,6 +384,9 @@ reported for the same commit, except for `CWE` and `WASC`.
 Not all vulnerabilities have CVEs, and a CVE can be identified multiple times. As a result, a CVE
 isn't a stable identifier and you shouldn't assume it as such when tracking vulnerabilities.

+The maximum number of identifiers for a vulnerability is set as 20. If a vulnerability has more than 20 identifiers,
+the system will save only the first 20 of them.
+
 ### Location

 The `location` indicates where the vulnerability has been detected.

--- a/ee/app/models/vulnerabilities/finding.rb
+++ b/ee/app/models/vulnerabilities/finding.rb
@@ -11,6 +11,7 @@ module Vulnerabilities
    self.table_name = "vulnerability_occurrences"

    FINDINGS_PER_PAGE = 20
+    MAX_NUMBER_OF_IDENTIFIERS = 20

    paginates_per FINDINGS_PER_PAGE


--- a/ee/app/services/security/store_report_service.rb
+++ b/ee/app/services/security/store_report_service.rb
@@ -54,7 +54,9 @@ module Security

      update_vulnerability_finding(vulnerability_finding, vulnerability_params)

-      finding.identifiers.map do |identifier|
+      # The maximum number of identifiers is not used in validation
+      # we just want to ignore the rest if a finding has more than that.
+      finding.identifiers.take(Vulnerabilities::Finding::MAX_NUMBER_OF_IDENTIFIERS).map do |identifier| # rubocop: disable CodeReuse/ActiveRecord
        create_or_update_vulnerability_identifier_object(vulnerability_finding, identifier)
      end


--- a/ee/spec/factories/ci/job_artifacts.rb
+++ b/ee/spec/factories/ci/job_artifacts.rb
@@ -12,6 +12,16 @@ FactoryBot.define do
      end
    end

+    trait :with_exceeding_identifiers do
+      file_type { :sast }
+      file_format { :raw }
+
+      after(:build) do |artifact, _|
+        artifact.file = fixture_file_upload(
+          Rails.root.join('ee/spec/fixtures/security_reports/master/gl-sast-report-with-exceeding-identifiers.json'), 'application/json')
+      end
+    end
+
    trait :secret_detection do
      file_type { :secret_detection }
      file_format { :raw }

--- a/ee/spec/fixtures/security_reports/master/gl-sast-report-with-exceeding-identifiers.json
+++ b/ee/spec/fixtures/security_reports/master/gl-sast-report-with-exceeding-identifiers.json
+{
+  "version": "1.2",
+  "vulnerabilities": [
+    {
+      "category": "sast",
+      "message": "Probable insecure usage of temp file/directory.",
+      "cve": "python/hardcoded/hardcoded-tmp.py:52865813c884a507be1f152d654245af34aba8a391626d01f1ab6d3f52ec8779:B108",
+      "severity": "Medium",
+      "confidence": "Medium",
+      "scanner": {
+        "id": "bandit",
+        "name": "Bandit"
+      },
+      "location": {
+        "file": "python/hardcoded/hardcoded-tmp.py",
+        "start_line": 1,
+        "end_line": 1
+      },
+      "identifiers": [
+        {
+          "type": "bandit_test_id_1",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_2",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_3",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_4",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_5",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_6",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_7",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_8",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_9",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_10",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_11",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_12",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_13",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_14",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_15",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_16",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_17",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_18",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_19",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_20",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_21",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        }
+      ],
+      "priority": "Medium",
+      "file": "python/hardcoded/hardcoded-tmp.py",
+      "line": 1,
+      "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html",
+      "tool": "bandit"
+    }
+  ],
+  "remediations": [],
+  "scan": {
+    "scanner": {
+      "id": "gosec",
+      "name": "Gosec",
+      "url": "https://github.com/securego/gosec",
+      "vendor": {
+        "name": "GitLab"
+      },
+      "version": "2.3.0"
+    },
+    "type": "sast",
+    "status": "success",
+    "start_time": "placeholder-value",
+    "end_time": "placeholder-value"
+  }
+}
--- a/ee/spec/services/security/store_report_service_spec.rb
+++ b/ee/spec/services/security/store_report_service_spec.rb
@@ -4,7 +4,8 @@ require 'spec_helper'

 RSpec.describe Security::StoreReportService, '#execute' do
  let_it_be(:user) { create(:user) }
-  let(:artifact) { create(:ee_ci_job_artifact, report_type) }
+  let(:artifact) { create(:ee_ci_job_artifact, trait) }
+  let(:report_type) { artifact.file_type }
  let(:project) { artifact.project }
  let(:pipeline) { artifact.job.pipeline }
  let(:report) { pipeline.security_reports.get_report(report_type.to_s, artifact) }
@@ -23,10 +24,11 @@ RSpec.describe Security::StoreReportService, '#execute' do

    using RSpec::Parameterized::TableSyntax

-    where(:case_name, :report_type, :scanners, :identifiers, :findings, :finding_identifiers, :finding_pipelines) do
-      'with SAST report'                | :sast                | 3 | 17 | 33 | 39 | 33
-      'with Dependency Scanning report' | :dependency_scanning | 2 | 7  | 4  | 7  | 4
-      'with Container Scanning report'  | :container_scanning  | 1 | 8  | 8  | 8  | 8
+    where(:case_name, :trait, :scanners, :identifiers, :findings, :finding_identifiers, :finding_pipelines) do
+      'with SAST report'                | :sast                       | 3 | 17 | 33 | 39 | 33
+      'with exceeding identifiers'      | :with_exceeding_identifiers | 1 | 20 | 1  | 20 | 1
+      'with Dependency Scanning report' | :dependency_scanning        | 2 | 7  | 4  | 7  | 4
+      'with Container Scanning report'  | :container_scanning         | 1 | 8  | 8  | 8  | 8
    end

    with_them do
@@ -85,7 +87,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
    let(:new_build) { create(:ci_build, pipeline: new_pipeline) }
    let(:new_pipeline) { create(:ci_pipeline, project: project) }
    let(:new_report) { new_pipeline.security_reports.get_report(report_type.to_s, artifact) }
-    let(:report_type) { :sast }
+    let(:trait) { :sast }

    let!(:finding) do
      create(:vulnerabilities_finding,
@@ -180,7 +182,7 @@ RSpec.describe Security::StoreReportService, '#execute' do

  context 'with existing data from same pipeline' do
    let!(:finding) { create(:vulnerabilities_finding, project: project, pipelines: [pipeline]) }
-    let(:report_type) { :sast }
+    let(:trait) { :sast }

    it 'skips report' do
      expect(subject).to eq({