Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
b24538af
Commit
b24538af
authored
Aug 18, 2020
by
Jonathan Schafer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add check for identifiers when creating finding
Added tests and test file
parent
8393f464
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
725 additions
and
1 deletion
+725
-1
ee/app/services/security/store_report_service.rb
ee/app/services/security/store_report_service.rb
+1
-1
ee/changelogs/unreleased/235164-sidekiq-storesecurityreportsworker-nomethoderror-undefined-meth.yml
...oresecurityreportsworker-nomethoderror-undefined-meth.yml
+5
-0
ee/spec/factories/ci/job_artifacts.rb
ee/spec/factories/ci/job_artifacts.rb
+10
-0
ee/spec/fixtures/security_reports/master/gl-sast-missing-identifiers.json
.../security_reports/master/gl-sast-missing-identifiers.json
+686
-0
ee/spec/services/security/store_report_service_spec.rb
ee/spec/services/security/store_report_service_spec.rb
+23
-0
No files found.
ee/app/services/security/store_report_service.rb
View file @
b24538af
...
@@ -42,7 +42,7 @@ module Security
...
@@ -42,7 +42,7 @@ module Security
end
end
def
create_vulnerability_finding
(
finding
)
def
create_vulnerability_finding
(
finding
)
return
if
finding
.
scanner
.
blank?
return
if
finding
.
scanner
.
blank?
||
finding
.
primary_identifier
.
blank?
vulnerability_params
=
finding
.
to_hash
.
except
(
:compare_key
,
:identifiers
,
:location
,
:scanner
)
vulnerability_params
=
finding
.
to_hash
.
except
(
:compare_key
,
:identifiers
,
:location
,
:scanner
)
vulnerability_finding
=
create_or_find_vulnerability_finding
(
finding
,
vulnerability_params
)
vulnerability_finding
=
create_or_find_vulnerability_finding
(
finding
,
vulnerability_params
)
...
...
ee/changelogs/unreleased/235164-sidekiq-storesecurityreportsworker-nomethoderror-undefined-meth.yml
0 → 100644
View file @
b24538af
---
title
:
Add identifier check when creating vulnerability findings
merge_request
:
39650
author
:
type
:
fixed
ee/spec/factories/ci/job_artifacts.rb
View file @
b24538af
...
@@ -179,6 +179,16 @@ FactoryBot.define do
...
@@ -179,6 +179,16 @@ FactoryBot.define do
end
end
end
end
trait
:sast_with_missing_identifiers
do
file_type
{
:sast
}
file_format
{
:raw
}
after
(
:build
)
do
|
artifact
,
_
|
artifact
.
file
=
fixture_file_upload
(
Rails
.
root
.
join
(
'ee/spec/fixtures/security_reports/master/gl-sast-missing-identifiers.json'
),
'application/json'
)
end
end
trait
:license_management
do
trait
:license_management
do
to_create
{
|
instance
|
instance
.
save!
(
validate:
false
)
}
to_create
{
|
instance
|
instance
.
save!
(
validate:
false
)
}
...
...
ee/spec/fixtures/security_reports/master/gl-sast-missing-identifiers.json
0 → 100644
View file @
b24538af
{
"version"
:
"1.2"
,
"vulnerabilities"
:
[
{
"category"
:
"sast"
,
"message"
:
"Probable insecure usage of temp file/directory."
,
"cve"
:
"python/hardcoded/hardcoded-tmp.py:52865813c884a507be1f152d654245af34aba8a391626d01f1ab6d3f52ec8779:B108"
,
"severity"
:
"Medium"
,
"confidence"
:
"Medium"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/hardcoded/hardcoded-tmp.py"
,
"start_line"
:
1
,
"end_line"
:
1
},
"priority"
:
"Medium"
,
"file"
:
"python/hardcoded/hardcoded-tmp.py"
,
"line"
:
1
,
"url"
:
"https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"name"
:
"Predictable pseudorandom number generator"
,
"message"
:
"Predictable pseudorandom number generator"
,
"cve"
:
"groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:47:PREDICTABLE_RANDOM"
,
"severity"
:
"Medium"
,
"confidence"
:
"Medium"
,
"scanner"
:
{
"id"
:
"find_sec_bugs"
,
"name"
:
"Find Security Bugs"
},
"location"
:
{
"file"
:
"groovy/src/main/java/com/gitlab/security_products/tests/App.groovy"
,
"start_line"
:
47
,
"end_line"
:
47
,
"class"
:
"com.gitlab.security_products.tests.App"
,
"method"
:
"generateSecretToken2"
},
"priority"
:
"Medium"
,
"file"
:
"groovy/src/main/java/com/gitlab/security_products/tests/App.groovy"
,
"line"
:
47
,
"url"
:
"https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM"
,
"tool"
:
"find_sec_bugs"
},
{
"category"
:
"sast"
,
"name"
:
"Predictable pseudorandom number generator"
,
"message"
:
"Predictable pseudorandom number generator"
,
"cve"
:
"groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:41:PREDICTABLE_RANDOM"
,
"severity"
:
"Medium"
,
"confidence"
:
"Medium"
,
"scanner"
:
{
"id"
:
"find_sec_bugs"
,
"name"
:
"Find Security Bugs"
},
"location"
:
{
"file"
:
"groovy/src/main/java/com/gitlab/security_products/tests/App.groovy"
,
"start_line"
:
41
,
"end_line"
:
41
,
"class"
:
"com.gitlab.security_products.tests.App"
,
"method"
:
"generateSecretToken1"
},
"priority"
:
"Medium"
,
"file"
:
"groovy/src/main/java/com/gitlab/security_products/tests/App.groovy"
,
"line"
:
41
,
"url"
:
"https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM"
,
"tool"
:
"find_sec_bugs"
},
{
"category"
:
"sast"
,
"message"
:
"Use of insecure MD2, MD4, or MD5 hash function."
,
"cve"
:
"python/imports/imports-aliases.py:cb203b465dffb0cb3a8e8bd8910b84b93b0a5995a938e4b903dbb0cd6ffa1254:B303"
,
"severity"
:
"Medium"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports-aliases.py"
,
"start_line"
:
11
,
"end_line"
:
11
},
"priority"
:
"Medium"
,
"file"
:
"python/imports/imports-aliases.py"
,
"line"
:
11
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Use of insecure MD2, MD4, or MD5 hash function."
,
"cve"
:
"python/imports/imports-aliases.py:a7173c43ae66bd07466632d819d450e0071e02dbf782763640d1092981f9631b:B303"
,
"severity"
:
"Medium"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports-aliases.py"
,
"start_line"
:
12
,
"end_line"
:
12
},
"priority"
:
"Medium"
,
"file"
:
"python/imports/imports-aliases.py"
,
"line"
:
12
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Use of insecure MD2, MD4, or MD5 hash function."
,
"cve"
:
"python/imports/imports-aliases.py:017017b77deb0b8369b6065947833eeea752a92ec8a700db590fece3e934cf0d:B303"
,
"severity"
:
"Medium"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports-aliases.py"
,
"start_line"
:
13
,
"end_line"
:
13
},
"priority"
:
"Medium"
,
"file"
:
"python/imports/imports-aliases.py"
,
"line"
:
13
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Use of insecure MD2, MD4, or MD5 hash function."
,
"cve"
:
"python/imports/imports-aliases.py:45fc8c53aea7b84f06bc4e590cc667678d6073c4c8a1d471177ca2146fb22db2:B303"
,
"severity"
:
"Medium"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports-aliases.py"
,
"start_line"
:
14
,
"end_line"
:
14
},
"priority"
:
"Medium"
,
"file"
:
"python/imports/imports-aliases.py"
,
"line"
:
14
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Pickle library appears to be in use, possible security issue."
,
"cve"
:
"python/imports/imports-aliases.py:5f200d47291e7bbd8352db23019b85453ca048dd98ea0c291260fa7d009963a4:B301"
,
"severity"
:
"Medium"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports-aliases.py"
,
"start_line"
:
15
,
"end_line"
:
15
},
"priority"
:
"Medium"
,
"file"
:
"python/imports/imports-aliases.py"
,
"line"
:
15
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"name"
:
"ECB mode is insecure"
,
"message"
:
"ECB mode is insecure"
,
"cve"
:
"groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:29:ECB_MODE"
,
"severity"
:
"Medium"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"find_sec_bugs"
,
"name"
:
"Find Security Bugs"
},
"location"
:
{
"file"
:
"groovy/src/main/java/com/gitlab/security_products/tests/App.groovy"
,
"start_line"
:
29
,
"end_line"
:
29
,
"class"
:
"com.gitlab.security_products.tests.App"
,
"method"
:
"insecureCypher"
},
"priority"
:
"Medium"
,
"file"
:
"groovy/src/main/java/com/gitlab/security_products/tests/App.groovy"
,
"line"
:
29
,
"url"
:
"https://find-sec-bugs.github.io/bugs.htm#ECB_MODE"
,
"tool"
:
"find_sec_bugs"
},
{
"category"
:
"sast"
,
"name"
:
"Cipher with no integrity"
,
"message"
:
"Cipher with no integrity"
,
"cve"
:
"groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:29:CIPHER_INTEGRITY"
,
"severity"
:
"Medium"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"find_sec_bugs"
,
"name"
:
"Find Security Bugs"
},
"location"
:
{
"file"
:
"groovy/src/main/java/com/gitlab/security_products/tests/App.groovy"
,
"start_line"
:
29
,
"end_line"
:
29
,
"class"
:
"com.gitlab.security_products.tests.App"
,
"method"
:
"insecureCypher"
},
"priority"
:
"Medium"
,
"file"
:
"groovy/src/main/java/com/gitlab/security_products/tests/App.groovy"
,
"line"
:
29
,
"url"
:
"https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY"
,
"tool"
:
"find_sec_bugs"
},
{
"category"
:
"sast"
,
"message"
:
"Probable insecure usage of temp file/directory."
,
"cve"
:
"python/hardcoded/hardcoded-tmp.py:63dd4d626855555b816985d82c4614a790462a0a3ada89dc58eb97f9c50f3077:B108"
,
"severity"
:
"Medium"
,
"confidence"
:
"Medium"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/hardcoded/hardcoded-tmp.py"
,
"start_line"
:
14
,
"end_line"
:
14
},
"priority"
:
"Medium"
,
"file"
:
"python/hardcoded/hardcoded-tmp.py"
,
"line"
:
14
,
"url"
:
"https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Probable insecure usage of temp file/directory."
,
"cve"
:
"python/hardcoded/hardcoded-tmp.py:4ad6d4c40a8c263fc265f3384724014e0a4f8dd6200af83e51ff120420038031:B108"
,
"severity"
:
"Medium"
,
"confidence"
:
"Medium"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/hardcoded/hardcoded-tmp.py"
,
"start_line"
:
10
,
"end_line"
:
10
},
"priority"
:
"Medium"
,
"file"
:
"python/hardcoded/hardcoded-tmp.py"
,
"line"
:
10
,
"url"
:
"https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Consider possible security implications associated with Popen module."
,
"cve"
:
"python/imports/imports-aliases.py:2c3e1fa1e54c3c6646e8bcfaee2518153c6799b77587ff8d9a7b0631f6d34785:B404"
,
"severity"
:
"Low"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports-aliases.py"
,
"start_line"
:
1
,
"end_line"
:
1
},
"priority"
:
"Low"
,
"file"
:
"python/imports/imports-aliases.py"
,
"line"
:
1
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Consider possible security implications associated with pickle module."
,
"cve"
:
"python/imports/imports.py:af58d07f6ad519ef5287fcae65bf1a6999448a1a3a8bc1ac2a11daa80d0b96bf:B403"
,
"severity"
:
"Low"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports.py"
,
"start_line"
:
2
,
"end_line"
:
2
},
"priority"
:
"Low"
,
"file"
:
"python/imports/imports.py"
,
"line"
:
2
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Consider possible security implications associated with subprocess module."
,
"cve"
:
"python/imports/imports.py:8de9bc98029d212db530785a5f6780cfa663548746ff228ab8fa96c5bb82f089:B404"
,
"severity"
:
"Low"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports.py"
,
"start_line"
:
4
,
"end_line"
:
4
},
"priority"
:
"Low"
,
"file"
:
"python/imports/imports.py"
,
"line"
:
4
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Possible hardcoded password: 'blerg'"
,
"cve"
:
"python/hardcoded/hardcoded-passwords.py:97c30f1d76d2a88913e3ce9ae74087874d740f87de8af697a9c455f01119f633:B106"
,
"severity"
:
"Low"
,
"confidence"
:
"Medium"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/hardcoded/hardcoded-passwords.py"
,
"start_line"
:
22
,
"end_line"
:
22
},
"priority"
:
"Low"
,
"file"
:
"python/hardcoded/hardcoded-passwords.py"
,
"line"
:
22
,
"url"
:
"https://docs.openstack.org/bandit/latest/plugins/b106_hardcoded_password_funcarg.html"
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Possible hardcoded password: 'root'"
,
"cve"
:
"python/hardcoded/hardcoded-passwords.py:7431c73a0bc16d94ece2a2e75ef38f302574d42c37ac0c3c38ad0b3bf8a59f10:B105"
,
"severity"
:
"Low"
,
"confidence"
:
"Medium"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/hardcoded/hardcoded-passwords.py"
,
"start_line"
:
5
,
"end_line"
:
5
},
"priority"
:
"Low"
,
"file"
:
"python/hardcoded/hardcoded-passwords.py"
,
"line"
:
5
,
"url"
:
"https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Possible hardcoded password: ''"
,
"cve"
:
"python/hardcoded/hardcoded-passwords.py:d2d1857c27caedd49c57bfbcdc23afcc92bd66a22701fcdc632869aab4ca73ee:B105"
,
"severity"
:
"Low"
,
"confidence"
:
"Medium"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/hardcoded/hardcoded-passwords.py"
,
"start_line"
:
9
,
"end_line"
:
9
},
"priority"
:
"Low"
,
"file"
:
"python/hardcoded/hardcoded-passwords.py"
,
"line"
:
9
,
"url"
:
"https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Possible hardcoded password: 'ajklawejrkl42348swfgkg'"
,
"cve"
:
"python/hardcoded/hardcoded-passwords.py:fb3866215a61393a5c9c32a3b60e2058171a23219c353f722cbd3567acab21d2:B105"
,
"severity"
:
"Low"
,
"confidence"
:
"Medium"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/hardcoded/hardcoded-passwords.py"
,
"start_line"
:
13
,
"end_line"
:
13
},
"priority"
:
"Low"
,
"file"
:
"python/hardcoded/hardcoded-passwords.py"
,
"line"
:
13
,
"url"
:
"https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Possible hardcoded password: 'blerg'"
,
"cve"
:
"python/hardcoded/hardcoded-passwords.py:63c62a8b7e1e5224439bd26b28030585ac48741e28ca64561a6071080c560a5f:B105"
,
"severity"
:
"Low"
,
"confidence"
:
"Medium"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/hardcoded/hardcoded-passwords.py"
,
"start_line"
:
23
,
"end_line"
:
23
},
"priority"
:
"Low"
,
"file"
:
"python/hardcoded/hardcoded-passwords.py"
,
"line"
:
23
,
"url"
:
"https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Possible hardcoded password: 'blerg'"
,
"cve"
:
"python/hardcoded/hardcoded-passwords.py:4311b06d08df8fa58229b341c531da8e1a31ec4520597bdff920cd5c098d86f9:B105"
,
"severity"
:
"Low"
,
"confidence"
:
"Medium"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/hardcoded/hardcoded-passwords.py"
,
"start_line"
:
24
,
"end_line"
:
24
},
"priority"
:
"Low"
,
"file"
:
"python/hardcoded/hardcoded-passwords.py"
,
"line"
:
24
,
"url"
:
"https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Consider possible security implications associated with subprocess module."
,
"cve"
:
"python/imports/imports-function.py:5858400c2f39047787702de44d03361ef8d954c9d14bd54ee1c2bef9e6a7df93:B404"
,
"severity"
:
"Low"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports-function.py"
,
"start_line"
:
4
,
"end_line"
:
4
},
"priority"
:
"Low"
,
"file"
:
"python/imports/imports-function.py"
,
"line"
:
4
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Consider possible security implications associated with pickle module."
,
"cve"
:
"python/imports/imports-function.py:dbda3cf4190279d30e0aad7dd137eca11272b0b225e8af4e8bf39682da67d956:B403"
,
"severity"
:
"Low"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports-function.py"
,
"start_line"
:
2
,
"end_line"
:
2
},
"priority"
:
"Low"
,
"file"
:
"python/imports/imports-function.py"
,
"line"
:
2
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Consider possible security implications associated with Popen module."
,
"cve"
:
"python/imports/imports-from.py:eb8a0db9cd1a8c1ab39a77e6025021b1261cc2a0b026b2f4a11fca4e0636d8dd:B404"
,
"severity"
:
"Low"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports-from.py"
,
"start_line"
:
7
,
"end_line"
:
7
},
"priority"
:
"Low"
,
"file"
:
"python/imports/imports-from.py"
,
"line"
:
7
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"subprocess call with shell=True seems safe, but may be changed in the future, consider rewriting without shell"
,
"cve"
:
"python/imports/imports-aliases.py:f99f9721e27537fbcb6699a4cf39c6740d6234d2c6f06cfc2d9ea977313c483d:B602"
,
"severity"
:
"Low"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports-aliases.py"
,
"start_line"
:
9
,
"end_line"
:
9
},
"priority"
:
"Low"
,
"file"
:
"python/imports/imports-aliases.py"
,
"line"
:
9
,
"url"
:
"https://docs.openstack.org/bandit/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html"
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Consider possible security implications associated with subprocess module."
,
"cve"
:
"python/imports/imports-from.py:332a12ab1146698f614a905ce6a6a5401497a12281aef200e80522711c69dcf4:B404"
,
"severity"
:
"Low"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports-from.py"
,
"start_line"
:
6
,
"end_line"
:
6
},
"priority"
:
"Low"
,
"file"
:
"python/imports/imports-from.py"
,
"line"
:
6
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Consider possible security implications associated with Popen module."
,
"cve"
:
"python/imports/imports-from.py:0a48de4a3d5348853a03666cb574697e3982998355e7a095a798bd02a5947276:B404"
,
"severity"
:
"Low"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports-from.py"
,
"start_line"
:
1
,
"end_line"
:
2
},
"priority"
:
"Low"
,
"file"
:
"python/imports/imports-from.py"
,
"line"
:
1
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Consider possible security implications associated with pickle module."
,
"cve"
:
"python/imports/imports-aliases.py:51b71661dff994bde3529639a727a678c8f5c4c96f00d300913f6d5be1bbdf26:B403"
,
"severity"
:
"Low"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports-aliases.py"
,
"start_line"
:
7
,
"end_line"
:
8
},
"priority"
:
"Low"
,
"file"
:
"python/imports/imports-aliases.py"
,
"line"
:
7
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Consider possible security implications associated with loads module."
,
"cve"
:
"python/imports/imports-aliases.py:6ff02aeb3149c01ab68484d794a94f58d5d3e3bb0d58557ef4153644ea68ea54:B403"
,
"severity"
:
"Low"
,
"confidence"
:
"High"
,
"scanner"
:
{
"id"
:
"bandit"
,
"name"
:
"Bandit"
},
"location"
:
{
"file"
:
"python/imports/imports-aliases.py"
,
"start_line"
:
6
,
"end_line"
:
6
},
"priority"
:
"Low"
,
"file"
:
"python/imports/imports-aliases.py"
,
"line"
:
6
,
"tool"
:
"bandit"
},
{
"category"
:
"sast"
,
"message"
:
"Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120)"
,
"cve"
:
"c/subdir/utils.c:b466873101951fe96e1332f6728eb7010acbbd5dfc3b65d7d53571d091a06d9e:CWE-119!/CWE-120"
,
"confidence"
:
"Low"
,
"solution"
:
"Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length"
,
"scanner"
:
{
"id"
:
"flawfinder"
,
"name"
:
"Flawfinder"
},
"location"
:
{
"file"
:
"c/subdir/utils.c"
,
"start_line"
:
4
},
"file"
:
"c/subdir/utils.c"
,
"line"
:
4
,
"url"
:
"https://cwe.mitre.org/data/definitions/119.html"
,
"tool"
:
"flawfinder"
},
{
"category"
:
"sast"
,
"message"
:
"Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362)"
,
"cve"
:
"c/subdir/utils.c:bab681140fcc8fc3085b6bba74081b44ea145c1c98b5e70cf19ace2417d30770:CWE-362"
,
"confidence"
:
"Low"
,
"scanner"
:
{
"id"
:
"flawfinder"
,
"name"
:
"Flawfinder"
},
"location"
:
{
"file"
:
"c/subdir/utils.c"
,
"start_line"
:
8
},
"file"
:
"c/subdir/utils.c"
,
"line"
:
8
,
"url"
:
"https://cwe.mitre.org/data/definitions/362.html"
,
"tool"
:
"flawfinder"
},
{
"category"
:
"sast"
,
"message"
:
"Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120)"
,
"cve"
:
"cplusplus/src/hello.cpp:c8c6dd0afdae6814194cf0930b719f757ab7b379cf8f261e7f4f9f2f323a818a:CWE-119!/CWE-120"
,
"confidence"
:
"Low"
,
"solution"
:
"Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length"
,
"scanner"
:
{
"id"
:
"flawfinder"
,
"name"
:
"Flawfinder"
},
"location"
:
{
"file"
:
"cplusplus/src/hello.cpp"
,
"start_line"
:
6
},
"file"
:
"cplusplus/src/hello.cpp"
,
"line"
:
6
,
"url"
:
"https://cwe.mitre.org/data/definitions/119.html"
,
"tool"
:
"flawfinder"
},
{
"category"
:
"sast"
,
"message"
:
"Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120)"
,
"cve"
:
"cplusplus/src/hello.cpp:331c04062c4fe0c7c486f66f59e82ad146ab33cdd76ae757ca41f392d568cbd0:CWE-120"
,
"confidence"
:
"Low"
,
"solution"
:
"Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)"
,
"scanner"
:
{
"id"
:
"flawfinder"
,
"name"
:
"Flawfinder"
},
"location"
:
{
"file"
:
"cplusplus/src/hello.cpp"
,
"start_line"
:
7
},
"file"
:
"cplusplus/src/hello.cpp"
,
"line"
:
7
,
"url"
:
"https://cwe.mitre.org/data/definitions/120.html"
,
"tool"
:
"flawfinder"
}
]
}
ee/spec/services/security/store_report_service_spec.rb
View file @
b24538af
...
@@ -203,6 +203,29 @@ RSpec.describe Security::StoreReportService, '#execute' do
...
@@ -203,6 +203,29 @@ RSpec.describe Security::StoreReportService, '#execute' do
expect
{
subject
}.
not_to
raise_error
expect
{
subject
}.
not_to
raise_error
end
end
end
end
context
'when the finding does not include a primary identifier'
do
let
(
:bad_pipeline
)
{
create
(
:ci_pipeline
,
project:
project
)
}
let
(
:bad_build
)
{
create
(
:ci_build
,
pipeline:
bad_pipeline
)
}
let!
(
:bad_artifact
)
{
create
(
:ee_ci_job_artifact
,
:sast_with_missing_identifiers
,
job:
bad_build
)
}
let
(
:bad_report
)
{
bad_pipeline
.
security_reports
.
get_report
(
report_type
.
to_s
,
bad_artifact
)
}
let
(
:report_type
)
{
:sast
}
before
do
project
.
add_developer
(
user
)
allow
(
bad_pipeline
).
to
receive
(
:user
).
and_return
(
user
)
end
subject
{
described_class
.
new
(
bad_pipeline
,
bad_report
).
execute
}
it
'does not create a new finding'
do
expect
{
subject
}.
not_to
change
{
Vulnerabilities
::
Finding
.
count
}
end
it
'does not raise an error'
do
expect
{
subject
}.
not_to
raise_error
end
end
end
end
context
'with existing data from same pipeline'
do
context
'with existing data from same pipeline'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment