Add cluster_image_scanning CI parser to update location data

This change adds CI parser for cluster_image_scanning to update the location data with cluster_id. cluster_id is not a part of container_scanning, so a new location class is created for cluster_image_scanning. EE: true Changelog: added

Add cluster_image_scanning CI parser to update location data
This change adds CI parser for cluster_image_scanning to update the location data with cluster_id. cluster_id is not a part of container_scanning, so a new location class is created for cluster_image_scanning. EE: true Changelog: added
c28d8ab7 · Sashi · 4eaa23f6 · c28d8ab7 · c28d8ab7 · c28d8ab7
Commit c28d8ab7 authored Oct 06, 2021 by Sashi
6 changed files
--- a/ee/lib/ee/gitlab/ci/parsers.rb
+++ b/ee/lib/ee/gitlab/ci/parsers.rb
@@ -12,7 +12,7 @@ module EE
                license_scanning: ::Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning,
                dependency_scanning: ::Gitlab::Ci::Parsers::Security::DependencyScanning,
                container_scanning: ::Gitlab::Ci::Parsers::Security::ContainerScanning,
-                cluster_image_scanning: ::Gitlab::Ci::Parsers::Security::ContainerScanning,
+                cluster_image_scanning: ::Gitlab::Ci::Parsers::Security::ClusterImageScanning,
                dast: ::Gitlab::Ci::Parsers::Security::Dast,
                api_fuzzing: ::Gitlab::Ci::Parsers::Security::Dast,
                coverage_fuzzing: ::Gitlab::Ci::Parsers::Security::CoverageFuzzing,

--- a/ee/lib/gitlab/ci/parsers/security/cluster_image_scanning.rb
+++ b/ee/lib/gitlab/ci/parsers/security/cluster_image_scanning.rb
+# frozen_string_literal: true
+module Gitlab
+  module Ci
+    module Parsers
+      module Security
+        class ClusterImageScanning < Common
+          private
+          def create_location(location_data)
+            ::Gitlab::Ci::Reports::Security::Locations::ClusterImageScanning.new(
+              image: location_data['image'],
+              cluster_id: location_data['cluster_id'],
+              operating_system: location_data['operating_system'],
+              package_name: location_data.dig('dependency', 'package', 'name'),
+              package_version: location_data.dig('dependency', 'version'))
+          end
+        end
+      end
+    end
+  end
+end
--- a/ee/lib/gitlab/ci/reports/security/locations/cluster_image_scanning.rb
+++ b/ee/lib/gitlab/ci/reports/security/locations/cluster_image_scanning.rb
+# frozen_string_literal: true
+module Gitlab
+  module Ci
+    module Reports
+      module Security
+        module Locations
+          class ClusterImageScanning < ContainerScanning
+            attr_reader :cluster_id
+            def initialize(image:, operating_system:, package_name: nil, package_version: nil, cluster_id: nil)
+              super(
+                image: image,
+                operating_system: operating_system,
+                package_name: package_name,
+                package_version: package_version
+              )
+              @cluster_id = cluster_id
+            end
+          end
+        end
+      end
+    end
+  end
+end
--- a/ee/spec/fixtures/security_reports/master/gl-cluster-image-scanning-report.json
+++ b/ee/spec/fixtures/security_reports/master/gl-cluster-image-scanning-report.json
@@ -21,7 +21,8 @@
          "version": "2.24-11+deb9u3"
        },
        "operating_system": "debian:9",
-        "image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
+        "image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e",
+        "cluster_id": "1"
      },
      "identifiers": [
        {
@@ -57,7 +58,8 @@
          "version": "2.24-11+deb9u3"
        },
        "operating_system": "debian:9",
-        "image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
+        "image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e",
+        "cluster_id": "1"
      },
      "identifiers": [
        {

--- a/ee/spec/lib/gitlab/ci/parsers/security/cluster_image_scanning_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/cluster_image_scanning_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe Gitlab::Ci::Parsers::Security::ClusterImageScanning do
+  let(:project) { artifact.project }
+  let(:pipeline) { artifact.job.pipeline }
+  let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago) }
+  before do
+    artifact.each_blob { |blob| described_class.parse!(blob, report) }
+  end
+  describe '#parse!' do
+    let(:artifact) { create(:ee_ci_job_artifact, :cluster_image_scanning) }
+    let(:image) { 'registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e' }
+    it "parses all identifiers and findings for unapproved vulnerabilities" do
+      expect(report.findings.length).to eq(2)
+      expect(report.identifiers.length).to eq(2)
+      expect(report.scanners).to include("starboard")
+      expect(report.scanners.length).to eq(1)
+    end
+    it 'generates expected location' do
+      location = report.findings.first.location
+      expect(location).to be_a(::Gitlab::Ci::Reports::Security::Locations::ClusterImageScanning)
+      expect(location).to have_attributes(
+        image: image,
+        cluster_id: '1',
+        operating_system: 'debian:9',
+        package_name: 'glibc',
+        package_version: '2.24-11+deb9u3'
+      )
+    end
+    it "generates expected metadata_version" do
+      expect(report.findings.first.metadata_version).to eq('2.3')
+    end
+    it "adds report image's name to raw_metadata" do
+      expect(report.findings.first.location).to be_a(::Gitlab::Ci::Reports::Security::Locations::ClusterImageScanning)
+      expect(report.findings.first.location.image).to eq(image)
+    end
+  end
+end
--- a/ee/spec/lib/gitlab/ci/reports/security/locations/cluster_image_scanning_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/locations/cluster_image_scanning_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe Gitlab::Ci::Reports::Security::Locations::ClusterImageScanning do
+  let(:params) do
+    {
+      image: 'registry.gitlab.com/my/project:latest',
+      cluster_id: '1',
+      operating_system: 'debian:9',
+      package_name: 'glibc',
+      package_version: '1.2.3'
+    }
+  end
+  let(:mandatory_params) { %i[image operating_system] }
+  let(:expected_fingerprint) { Digest::SHA1.hexdigest('registry.gitlab.com/my/project:glibc') }
+  let(:expected_fingerprint_path) { 'registry.gitlab.com/my/project:glibc' }
+  it_behaves_like 'vulnerability location'
+end