Commit a4273cc0 authored by Tiger Watson's avatar Tiger Watson

Merge branch '343279-ingest-evidence' into 'master'

Add finding evidence ingestion

See merge request gitlab-org/gitlab!75287
parents e08bbf6a 855b613c
...@@ -47,13 +47,14 @@ module Security ...@@ -47,13 +47,14 @@ module Security
report_finding = report_finding_for(security_finding) report_finding = report_finding_for(security_finding)
return Vulnerabilities::Finding.new unless report_finding return Vulnerabilities::Finding.new unless report_finding
finding_data = report_finding.to_hash.except(:compare_key, :identifiers, :location, :scanner, :links, :signatures, :flags) finding_data = report_finding.to_hash.except(:compare_key, :identifiers, :location, :scanner, :links, :signatures, :flags, :evidence)
identifiers = report_finding.identifiers.map do |identifier| identifiers = report_finding.identifiers.map do |identifier|
Vulnerabilities::Identifier.new(identifier.to_hash) Vulnerabilities::Identifier.new(identifier.to_hash)
end end
signatures = report_finding.signatures.map do |signature| signatures = report_finding.signatures.map do |signature|
Vulnerabilities::FindingSignature.new(signature.to_hash) Vulnerabilities::FindingSignature.new(signature.to_hash)
end end
evidence = Vulnerabilities::Finding::Evidence.new(data: report_finding.evidence.data) if report_finding.evidence
Vulnerabilities::Finding.new(finding_data).tap do |finding| Vulnerabilities::Finding.new(finding_data).tap do |finding|
finding.location_fingerprint = report_finding.location.fingerprint finding.location_fingerprint = report_finding.location.fingerprint
...@@ -61,6 +62,7 @@ module Security ...@@ -61,6 +62,7 @@ module Security
finding.project = project finding.project = project
finding.sha = pipeline.sha finding.sha = pipeline.sha
finding.scanner = security_finding.scanner finding.scanner = security_finding.scanner
finding.finding_evidence = evidence
if calculate_false_positive? if calculate_false_positive?
finding.vulnerability_flags = report_finding.flags.map do |flag| finding.vulnerability_flags = report_finding.flags.map do |flag|
......
...@@ -82,7 +82,7 @@ module Security ...@@ -82,7 +82,7 @@ module Security
def normalize_report_findings(report_findings, vulnerabilities) def normalize_report_findings(report_findings, vulnerabilities)
report_findings.map do |report_finding| report_findings.map do |report_finding|
finding_hash = report_finding.to_hash finding_hash = report_finding.to_hash
.except(:compare_key, :identifiers, :location, :scanner, :links, :signatures, :flags) .except(:compare_key, :identifiers, :location, :scanner, :links, :signatures, :flags, :evidence)
finding = Vulnerabilities::Finding.new(finding_hash) finding = Vulnerabilities::Finding.new(finding_hash)
# assigning Vulnerabilities to Findings to enable the computed state # assigning Vulnerabilities to Findings to enable the computed state
...@@ -100,6 +100,7 @@ module Security ...@@ -100,6 +100,7 @@ module Security
finding.signatures = report_finding.signatures.map do |signature| finding.signatures = report_finding.signatures.map do |signature|
Vulnerabilities::FindingSignature.new(signature.to_hash) Vulnerabilities::FindingSignature.new(signature.to_hash)
end end
finding.finding_evidence = Vulnerabilities::Finding::Evidence.new(data: report_finding.evidence.data) if report_finding.evidence
if calculate_false_positive? if calculate_false_positive?
finding.vulnerability_flags = report_finding.flags.map do |flag| finding.vulnerability_flags = report_finding.flags.map do |flag|
......
...@@ -293,6 +293,8 @@ module Vulnerabilities ...@@ -293,6 +293,8 @@ module Vulnerabilities
def evidence def evidence
evidence_data = finding_evidence.present? && Feature.enabled?(:read_from_vulnerability_finding_evidence) ? finding_evidence.data : metadata.dig('evidence') evidence_data = finding_evidence.present? && Feature.enabled?(:read_from_vulnerability_finding_evidence) ? finding_evidence.data : metadata.dig('evidence')
return if evidence_data.nil?
{ {
summary: evidence_data&.dig('summary'), summary: evidence_data&.dig('summary'),
request: build_evidence_request(evidence_data&.dig('request')), request: build_evidence_request(evidence_data&.dig('request')),
......
...@@ -40,11 +40,11 @@ class Vulnerabilities::FindingEntity < Grape::Entity ...@@ -40,11 +40,11 @@ class Vulnerabilities::FindingEntity < Grape::Entity
expose :location expose :location
expose :remediations expose :remediations
expose :solution expose :solution
expose(:evidence) { |model, _| model.evidence[:summary] } expose(:evidence) { |model, _| model.evidence&.dig(:summary) }
expose(:request, using: Vulnerabilities::RequestEntity) { |model, _| model.evidence[:request] } expose(:request, using: Vulnerabilities::RequestEntity) { |model, _| model.evidence&.dig(:request) }
expose(:response, using: Vulnerabilities::ResponseEntity) { |model, _| model.evidence[:response] } expose(:response, using: Vulnerabilities::ResponseEntity) { |model, _| model.evidence&.dig(:response) }
expose(:evidence_source) { |model, _| model.evidence[:source] } expose(:evidence_source) { |model, _| model.evidence&.dig(:source) }
expose(:supporting_messages) { |model, _| model.evidence[:supporting_messages]} expose(:supporting_messages) { |model, _| model.evidence&.dig(:supporting_messages)}
expose(:assets) { |model, _| model.assets } expose(:assets) { |model, _| model.assets }
end end
......
...@@ -17,6 +17,7 @@ module Security ...@@ -17,6 +17,7 @@ module Security
delegate :scan, to: :security_finding, private: true delegate :scan, to: :security_finding, private: true
delegate :project, to: :scan, private: true delegate :project, to: :scan, private: true
delegate :project_fingerprint, to: :report_finding, private: true delegate :project_fingerprint, to: :report_finding, private: true
delegate :evidence, to: :report_finding
def initialize(security_finding, report_finding) def initialize(security_finding, report_finding)
@security_finding = security_finding @security_finding = security_finding
......
...@@ -16,6 +16,7 @@ module Security ...@@ -16,6 +16,7 @@ module Security
IngestFindingIdentifiers IngestFindingIdentifiers
IngestFindingLinks IngestFindingLinks
IngestFindingSignatures IngestFindingSignatures
IngestFindingEvidence
IngestVulnerabilityFlags IngestVulnerabilityFlags
IngestIssueLinks IngestIssueLinks
IngestVulnerabilityStatistics IngestVulnerabilityStatistics
......
# frozen_string_literal: true
module Security
module Ingestion
module Tasks
# Creates new `Vulnerabilities::Finding::Evidence` records.
class IngestFindingEvidence < AbstractTask
include BulkInsertableTask
self.model = Vulnerabilities::Finding::Evidence
self.unique_by = :vulnerability_occurrence_id
private
def attributes
finding_maps.select(&:evidence).map do |finding_map|
{
vulnerability_occurrence_id: finding_map.finding_id,
data: finding_map.evidence.data
}
end
end
end
end
end
end
...@@ -522,6 +522,16 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do ...@@ -522,6 +522,16 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
end end
end end
context 'when evidence is not provided in the report findings' do
let!(:artifact_sast) { create(:ee_ci_job_artifact, :sast, job: build_sast, project: project) }
it 'does not set the evidences for findings' do
evidences = subject.findings.select(&:sast?).map(&:evidence)
expect(evidences.compact).to be_empty
end
end
def read_fixture(fixture) def read_fixture(fixture)
Gitlab::Json.parse(File.read(fixture.file.path)) Gitlab::Json.parse(File.read(fixture.file.path))
end end
......
...@@ -162,7 +162,7 @@ ...@@ -162,7 +162,7 @@
"reason_phrase": "OK", "reason_phrase": "OK",
"status_code": 200 "status_code": 200
}, },
"summary": "" "summary": "Evidence summary"
}, },
"id": "47308329-7297-4f8f-b98e-1cc33f26fad4", "id": "47308329-7297-4f8f-b98e-1cc33f26fad4",
"identifiers": [ "identifiers": [
...@@ -186,9 +186,9 @@ ...@@ -186,9 +186,9 @@
], ],
"location": { "location": {
"hostname": "http://pancakes", "hostname": "http://pancakes",
"method": "", "method": "GET",
"param": "", "param": "",
"path": "" "path": "/WebGoat/plugins/bootstrap/css/pancakes.css"
}, },
"message": "Content Security Policy (CSP) Header Not Set", "message": "Content Security Policy (CSP) Header Not Set",
"scanner": { "scanner": {
......
...@@ -14,17 +14,20 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Dast do ...@@ -14,17 +14,20 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Dast do
where(:report_format, where(:report_format,
:occurrence_count, :occurrence_count,
:identifier_count, :identifier_count,
:evidence_count,
:scanner_count, :scanner_count,
:scanned_resources_count, :scanned_resources_count,
:last_occurrence_hostname, :last_occurrence_hostname,
:last_occurrence_method_name, :last_occurrence_method_name,
:last_occurrence_path, :last_occurrence_path,
:last_occurrence_severity, :last_occurrence_severity,
:last_occurrence_confidence) do :last_occurrence_confidence,
:dast | 24 | 15 | 1 | 6 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low' :last_occurrence_evidence_summary) do
:dast_multiple_sites | 25 | 15 | 1 | 0 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low' :dast | 24 | 15 | 1 | 1 | 6 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low' | nil
:dast_deprecated_no_spider | 2 | 3 | 1 | 0 | 'http://bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io' | 'GET' | '/' | 'low' | 'medium' :dast_multiple_sites | 25 | 15 | 1 | 1 | 0 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low' | nil
:dast_deprecated_no_common_fields | 24 | 15 | 1 | 0 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low' :dast_deprecated_no_spider | 2 | 3 | 1 | 1 | 0 | 'http://bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io' | 'GET' | '/' | 'low' | 'medium' | nil
:dast_deprecated_no_common_fields | 24 | 15 | 1 | 1 | 0 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low' | nil
:dast_14_0_2 | 1 | 2 | 1 | 1 | 3 | 'http://pancakes' | 'GET' | '/WebGoat/plugins/bootstrap/css/pancakes.css' | 'medium' | 'high' | "Evidence summary"
end end
with_them do with_them do
...@@ -51,6 +54,11 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Dast do ...@@ -51,6 +54,11 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Dast do
) )
end end
it 'generates expected evidence' do
evidence = report.findings.last.evidence
expect(evidence&.data&.dig('summary')).to eq(last_occurrence_evidence_summary)
end
describe 'occurrence properties' do describe 'occurrence properties' do
where(:attribute, :value) do where(:attribute, :value) do
:report_type | 'dast' :report_type | 'dast'
......
...@@ -13,6 +13,7 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do ...@@ -13,6 +13,7 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
let_it_be(:link) { build(:ci_reports_security_link) } let_it_be(:link) { build(:ci_reports_security_link) }
let_it_be(:scanner) { build(:ci_reports_security_scanner) } let_it_be(:scanner) { build(:ci_reports_security_scanner) }
let_it_be(:location) { build(:ci_reports_security_locations_sast) } let_it_be(:location) { build(:ci_reports_security_locations_sast) }
let_it_be(:evidence) { build(:ci_reports_security_evidence)}
let_it_be(:remediation) { build(:ci_reports_security_remediation) } let_it_be(:remediation) { build(:ci_reports_security_remediation) }
let(:flag_1) { build(:ci_reports_security_flag) } let(:flag_1) { build(:ci_reports_security_flag) }
...@@ -27,6 +28,7 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do ...@@ -27,6 +28,7 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
flags: [flag_1, flag_2], flags: [flag_1, flag_2],
remediations: [remediation], remediations: [remediation],
location: location, location: location,
evidence: evidence,
metadata_version: 'sast:1.0', metadata_version: 'sast:1.0',
name: 'Cipher with no integrity', name: 'Cipher with no integrity',
original_data: {}, original_data: {},
...@@ -69,6 +71,7 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do ...@@ -69,6 +71,7 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
flags: [flag_1, flag_2], flags: [flag_1, flag_2],
remediations: [remediation], remediations: [remediation],
location: location, location: location,
evidence: evidence,
metadata_version: 'sast:1.0', metadata_version: 'sast:1.0',
name: 'Cipher with no integrity', name: 'Cipher with no integrity',
raw_metadata: '{}', raw_metadata: '{}',
...@@ -135,6 +138,7 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do ...@@ -135,6 +138,7 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
links: occurrence.links, links: occurrence.links,
flags: occurrence.flags, flags: occurrence.flags,
location: occurrence.location, location: occurrence.location,
evidence: occurrence.evidence,
metadata_version: occurrence.metadata_version, metadata_version: occurrence.metadata_version,
name: occurrence.name, name: occurrence.name,
project_fingerprint: occurrence.project_fingerprint, project_fingerprint: occurrence.project_fingerprint,
......
...@@ -885,14 +885,7 @@ RSpec.describe Vulnerabilities::Finding do ...@@ -885,14 +885,7 @@ RSpec.describe Vulnerabilities::Finding do
context 'has no evidence summary when evidence is present, summary is not' do context 'has no evidence summary when evidence is present, summary is not' do
let(:finding) { create(:vulnerabilities_finding, raw_metadata: { evidence: {} }) } let(:finding) { create(:vulnerabilities_finding, raw_metadata: { evidence: {} }) }
it do it { is_expected.to be_nil }
is_expected.to match a_hash_including(
summary: nil,
source: nil,
supporting_messages: [],
request: nil,
response: nil)
end
end end
end end
......
...@@ -29,6 +29,7 @@ RSpec.describe Security::Ingestion::IngestReportSliceService do ...@@ -29,6 +29,7 @@ RSpec.describe Security::Ingestion::IngestReportSliceService do
expect(Security::Ingestion::Tasks::IngestFindingIdentifiers).to have_received(:execute).ordered.with(pipeline, finding_maps) expect(Security::Ingestion::Tasks::IngestFindingIdentifiers).to have_received(:execute).ordered.with(pipeline, finding_maps)
expect(Security::Ingestion::Tasks::IngestFindingLinks).to have_received(:execute).ordered.with(pipeline, finding_maps) expect(Security::Ingestion::Tasks::IngestFindingLinks).to have_received(:execute).ordered.with(pipeline, finding_maps)
expect(Security::Ingestion::Tasks::IngestFindingSignatures).to have_received(:execute).ordered.with(pipeline, finding_maps) expect(Security::Ingestion::Tasks::IngestFindingSignatures).to have_received(:execute).ordered.with(pipeline, finding_maps)
expect(Security::Ingestion::Tasks::IngestFindingEvidence).to have_received(:execute).ordered.with(pipeline, finding_maps)
expect(Security::Ingestion::Tasks::IngestVulnerabilityFlags).to have_received(:execute).ordered.with(pipeline, finding_maps) expect(Security::Ingestion::Tasks::IngestVulnerabilityFlags).to have_received(:execute).ordered.with(pipeline, finding_maps)
expect(Security::Ingestion::Tasks::IngestIssueLinks).to have_received(:execute).ordered.with(pipeline, finding_maps) expect(Security::Ingestion::Tasks::IngestIssueLinks).to have_received(:execute).ordered.with(pipeline, finding_maps)
expect(Security::Ingestion::Tasks::IngestVulnerabilityStatistics).to have_received(:execute).ordered.with(pipeline, finding_maps) expect(Security::Ingestion::Tasks::IngestVulnerabilityStatistics).to have_received(:execute).ordered.with(pipeline, finding_maps)
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Security::Ingestion::Tasks::IngestFindingEvidence do
describe '#execute' do
let(:pipeline) { create(:ci_pipeline) }
let(:finding_evidence) { create(:ci_reports_security_evidence) }
let(:finding_1) { create(:vulnerabilities_finding) }
let(:finding_2) { create(:vulnerabilities_finding) }
let(:report_finding_1) { create(:ci_reports_security_finding, evidence: finding_evidence) }
let(:report_finding_2) { create(:ci_reports_security_finding, evidence: finding_evidence) }
let(:finding_map_1) { create(:finding_map, finding: finding_1, report_finding: report_finding_1) }
let(:finding_map_2) { create(:finding_map, finding: finding_2, report_finding: report_finding_2) }
let(:service_object) { described_class.new(pipeline, [finding_map_1, finding_map_2]) }
subject(:ingest_finding_evidence) { service_object.execute }
it 'creates finding evidence for the new records' do
expect { ingest_finding_evidence }.to change { Vulnerabilities::Finding::Evidence.count }.by(2)
end
end
end
...@@ -99,6 +99,7 @@ module Gitlab ...@@ -99,6 +99,7 @@ module Gitlab
flags = create_flags(data['flags']) flags = create_flags(data['flags'])
links = create_links(data['links']) links = create_links(data['links'])
location = create_location(data['location'] || {}) location = create_location(data['location'] || {})
evidence = create_evidence(data['evidence'])
signatures = create_signatures(tracking_data(data)) signatures = create_signatures(tracking_data(data))
if @vulnerability_finding_signatures_enabled && !signatures.empty? if @vulnerability_finding_signatures_enabled && !signatures.empty?
...@@ -117,6 +118,7 @@ module Gitlab ...@@ -117,6 +118,7 @@ module Gitlab
name: finding_name(data, identifiers, location), name: finding_name(data, identifiers, location),
compare_key: data['cve'] || '', compare_key: data['cve'] || '',
location: location, location: location,
evidence: evidence,
severity: parse_severity_level(data['severity']), severity: parse_severity_level(data['severity']),
confidence: parse_confidence_level(data['confidence']), confidence: parse_confidence_level(data['confidence']),
scanner: create_scanner(data['scanner']), scanner: create_scanner(data['scanner']),
...@@ -253,6 +255,12 @@ module Gitlab ...@@ -253,6 +255,12 @@ module Gitlab
raise NotImplementedError raise NotImplementedError
end end
def create_evidence(evidence_data)
return unless evidence_data.is_a?(Hash)
::Gitlab::Ci::Reports::Security::Evidence.new(data: evidence_data)
end
def finding_name(data, identifiers, location) def finding_name(data, identifiers, location)
return data['message'] if data['message'].present? return data['message'] if data['message'].present?
return data['name'] if data['name'].present? return data['name'] if data['name'].present?
......
# frozen_string_literal: true
module Gitlab
module Ci
module Reports
module Security
class Evidence
attr_reader :data
def initialize(data:)
@data = data
end
end
end
end
end
end
...@@ -13,6 +13,7 @@ module Gitlab ...@@ -13,6 +13,7 @@ module Gitlab
attr_reader :flags attr_reader :flags
attr_reader :links attr_reader :links
attr_reader :location attr_reader :location
attr_reader :evidence
attr_reader :metadata_version attr_reader :metadata_version
attr_reader :name attr_reader :name
attr_reader :old_location attr_reader :old_location
...@@ -33,13 +34,14 @@ module Gitlab ...@@ -33,13 +34,14 @@ module Gitlab
alias_method :cve, :compare_key alias_method :cve, :compare_key
def initialize(compare_key:, identifiers:, flags: [], links: [], remediations: [], location:, metadata_version:, name:, original_data:, report_type:, scanner:, scan:, uuid:, confidence: nil, severity: nil, details: {}, signatures: [], project_id: nil, vulnerability_finding_signatures_enabled: false) # rubocop:disable Metrics/ParameterLists def initialize(compare_key:, identifiers:, flags: [], links: [], remediations: [], location:, evidence:, metadata_version:, name:, original_data:, report_type:, scanner:, scan:, uuid:, confidence: nil, severity: nil, details: {}, signatures: [], project_id: nil, vulnerability_finding_signatures_enabled: false) # rubocop:disable Metrics/ParameterLists
@compare_key = compare_key @compare_key = compare_key
@confidence = confidence @confidence = confidence
@identifiers = identifiers @identifiers = identifiers
@flags = flags @flags = flags
@links = links @links = links
@location = location @location = location
@evidence = evidence
@metadata_version = metadata_version @metadata_version = metadata_version
@name = name @name = name
@original_data = original_data @original_data = original_data
...@@ -65,6 +67,7 @@ module Gitlab ...@@ -65,6 +67,7 @@ module Gitlab
flags flags
links links
location location
evidence
metadata_version metadata_version
name name
project_fingerprint project_fingerprint
......
# frozen_string_literal: true
FactoryBot.define do
factory :ci_reports_security_evidence, class: '::Gitlab::Ci::Reports::Security::Evidence' do
data do
{
summary: 'Credit card detected',
request: {
headers: [{ name: 'Accept', value: '*/*' }],
method: 'GET',
url: 'http://goat:8080/WebGoat/logout',
body: nil
},
response: {
headers: [{ name: 'Content-Length', value: '0' }],
reason_phrase: 'OK',
status_code: 200,
body: nil
},
source: {
id: 'assert:Response Body Analysis',
name: 'Response Body Analysis',
url: 'htpp://hostname/documentation'
},
supporting_messages: [
{
name: 'Origional',
request: {
headers: [{ name: 'Accept', value: '*/*' }],
method: 'GET',
url: 'http://goat:8080/WebGoat/logout',
body: ''
}
},
{
name: 'Recorded',
request: {
headers: [{ name: 'Accept', value: '*/*' }],
method: 'GET',
url: 'http://goat:8080/WebGoat/logout',
body: ''
},
response: {
headers: [{ name: 'Content-Length', value: '0' }],
reason_phrase: 'OK',
status_code: 200,
body: ''
}
}
]
}
end
skip_create
initialize_with do
::Gitlab::Ci::Reports::Security::Evidence.new(**attributes)
end
end
end
...@@ -6,6 +6,7 @@ FactoryBot.define do ...@@ -6,6 +6,7 @@ FactoryBot.define do
confidence { :medium } confidence { :medium }
identifiers { Array.new(1) { association(:ci_reports_security_identifier) } } identifiers { Array.new(1) { association(:ci_reports_security_identifier) } }
location factory: :ci_reports_security_locations_sast location factory: :ci_reports_security_locations_sast
evidence factory: :ci_reports_security_evidence
metadata_version { 'sast:1.0' } metadata_version { 'sast:1.0' }
name { 'Cipher with no integrity' } name { 'Cipher with no integrity' }
report_type { :sast } report_type { :sast }
...@@ -25,7 +26,53 @@ FactoryBot.define do ...@@ -25,7 +26,53 @@ FactoryBot.define do
name: "Cipher does not check for integrity first?", name: "Cipher does not check for integrity first?",
url: "https://crypto.stackexchange.com/questions/31428/pbewithmd5anddes-cipher-does-not-check-for-integrity-first" url: "https://crypto.stackexchange.com/questions/31428/pbewithmd5anddes-cipher-does-not-check-for-integrity-first"
} }
] ],
evidence: {
summary: 'Credit card detected',
request: {
headers: [{ name: 'Accept', value: '*/*' }],
method: 'GET',
url: 'http://goat:8080/WebGoat/logout',
body: nil
},
response: {
headers: [{ name: 'Content-Length', value: '0' }],
reason_phrase: 'OK',
status_code: 200,
body: nil
},
source: {
id: 'assert:Response Body Analysis',
name: 'Response Body Analysis',
url: 'htpp://hostname/documentation'
},
supporting_messages: [
{
name: 'Origional',
request: {
headers: [{ name: 'Accept', value: '*/*' }],
method: 'GET',
url: 'http://goat:8080/WebGoat/logout',
body: ''
}
},
{
name: 'Recorded',
request: {
headers: [{ name: 'Accept', value: '*/*' }],
method: 'GET',
url: 'http://goat:8080/WebGoat/logout',
body: ''
},
response: {
headers: [{ name: 'Content-Length', value: '0' }],
reason_phrase: 'OK',
status_code: 200,
body: ''
}
}
]
}
}.deep_stringify_keys }.deep_stringify_keys
end end
scanner factory: :ci_reports_security_scanner scanner factory: :ci_reports_security_scanner
......
...@@ -12,6 +12,76 @@ ...@@ -12,6 +12,76 @@
"id": "gemnasium", "id": "gemnasium",
"name": "Gemnasium" "name": "Gemnasium"
}, },
"evidence": {
"source": {
"id": "assert:CORS - Bad 'Origin' value",
"name": "CORS - Bad 'Origin' value"
},
"summary": "The Origin header was changed to an invalid value of http://peachapisecurity.com and the response contained an Access-Control-Allow-Origin header which included this invalid Origin, indicating that the CORS configuration on the server is overly permissive.\n\n\n",
"request": {
"headers": [
{
"name": "Host",
"value": "127.0.0.1:7777"
}
],
"method": "GET",
"url": "http://127.0.0.1:7777/api/users",
"body": ""
},
"response": {
"headers": [
{
"name": "Server",
"value": "TwistedWeb/20.3.0"
}
],
"reason_phrase": "OK",
"status_code": 200,
"body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]"
},
"supporting_messages": [
{
"name": "Origional",
"request": {
"headers": [
{
"name": "Host",
"value": "127.0.0.1:7777"
}
],
"method": "GET",
"url": "http://127.0.0.1:7777/api/users",
"body": ""
}
},
{
"name": "Recorded",
"request": {
"headers": [
{
"name": "Host",
"value": "127.0.0.1:7777"
}
],
"method": "GET",
"url": "http://127.0.0.1:7777/api/users",
"body": ""
},
"response": {
"headers": [
{
"name": "Server",
"value": "TwistedWeb/20.3.0"
}
],
"reason_phrase": "OK",
"status_code": 200,
"body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]"
}
}
]
},
"location": {}, "location": {},
"identifiers": [ "identifiers": [
{ {
...@@ -57,6 +127,76 @@ ...@@ -57,6 +127,76 @@
"id": "gemnasium", "id": "gemnasium",
"name": "Gemnasium" "name": "Gemnasium"
}, },
"evidence": {
"source": {
"id": "assert:CORS - Bad 'Origin' value",
"name": "CORS - Bad 'Origin' value"
},
"summary": "The Origin header was changed to an invalid value of http://peachapisecurity.com and the response contained an Access-Control-Allow-Origin header which included this invalid Origin, indicating that the CORS configuration on the server is overly permissive.\n\n\n",
"request": {
"headers": [
{
"name": "Host",
"value": "127.0.0.1:7777"
}
],
"method": "GET",
"url": "http://127.0.0.1:7777/api/users",
"body": ""
},
"response": {
"headers": [
{
"name": "Server",
"value": "TwistedWeb/20.3.0"
}
],
"reason_phrase": "OK",
"status_code": 200,
"body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]"
},
"supporting_messages": [
{
"name": "Origional",
"request": {
"headers": [
{
"name": "Host",
"value": "127.0.0.1:7777"
}
],
"method": "GET",
"url": "http://127.0.0.1:7777/api/users",
"body": ""
}
},
{
"name": "Recorded",
"request": {
"headers": [
{
"name": "Host",
"value": "127.0.0.1:7777"
}
],
"method": "GET",
"url": "http://127.0.0.1:7777/api/users",
"body": ""
},
"response": {
"headers": [
{
"name": "Server",
"value": "TwistedWeb/20.3.0"
}
],
"reason_phrase": "OK",
"status_code": 200,
"body": "[{\"user_id\":1,\"user\":\"admin\",\"first\":\"Joe\",\"last\":\"Smith\",\"password\":\"Password!\"}]"
}
}
]
},
"location": {}, "location": {},
"identifiers": [ "identifiers": [
{ {
......
...@@ -342,6 +342,18 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do ...@@ -342,6 +342,18 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
end end
end end
describe 'parsing evidence' do
it 'returns evidence object for each finding', :aggregate_failures do
evidences = report.findings.map(&:evidence)
expect(evidences.first.data).not_to be_empty
expect(evidences.first.data["summary"]).to match(/The Origin header was changed/)
expect(evidences.size).to eq(3)
expect(evidences.compact.size).to eq(2)
expect(evidences.first).to be_a(::Gitlab::Ci::Reports::Security::Evidence)
end
end
describe 'setting the uuid' do describe 'setting the uuid' do
let(:finding_uuids) { report.findings.map(&:uuid) } let(:finding_uuids) { report.findings.map(&:uuid) }
let(:uuid_1) do let(:uuid_1) do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment