Fix container scanning parser

Add custom location object and use it to generate location_fingerprint Remove dead code (metadata_version method) Fix JSON indent (4 spaces => 2 spaces)

Fix container scanning parser
Add custom location object and use it to generate location_fingerprint Remove dead code (metadata_version method) Fix JSON indent (4 spaces => 2 spaces)
eed2bcf0 · Olivier Gonzalez · c7c63b2f · eed2bcf0 · eed2bcf0 · eed2bcf0
Commit eed2bcf0 authored Jan 08, 2019 by Olivier Gonzalez
3 changed files
--- a/ee/lib/gitlab/ci/parsers/security/container_scanning.rb
+++ b/ee/lib/gitlab/ci/parsers/security/container_scanning.rb
@@ -58,6 +58,15 @@ module Gitlab
              'severity' => translate_severity(vulnerability['severity']),
              'solution' => solution(vulnerability),
              'confidence' => 'Medium',
+              'location' => {
+                'operating_system' => vulnerability["namespace"],
+                'dependency' => {
+                  'package' => {
+                    'name' => vulnerability["featurename"]
+                  },
+                  'version' => vulnerability["featureversion"]
+                }
+              },
              'scanner' => { 'id' => 'clair', 'name' => 'Clair' },
              'identifiers' => [
                {
@@ -99,14 +108,8 @@ module Gitlab
            "#{vulnerability['featurename']} - #{vulnerability['vulnerability']}"
          end

-          def metadata_version(vulnerability)
-            '1.3'
-          end
-
          def generate_location_fingerprint(location)
-            # Location is irrelevant for Clair vulnerabilities.
-            # SHA1 value for 'clair'
-            'cb750fa5a7a31c527d5c15388a432c4ba3338457'
+            Digest::SHA1.hexdigest("#{location['operating_system']}:#{location.dig('dependency', 'package', 'name')}")
          end
        end
      end

--- a/ee/spec/lib/gitlab/ci/parsers/security/container_scanning_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/container_scanning_spec.rb
@@ -32,7 +32,9 @@ describe Gitlab::Ci::Parsers::Security::ContainerScanning do
    end

    it "generates expected location fingerprint" do
-      expect(report.occurrences.first[:location_fingerprint]).to eq('cb750fa5a7a31c527d5c15388a432c4ba3338457')
+      expected = Digest::SHA1.hexdigest('debian:9:glibc')
+
+      expect(report.occurrences.first[:location_fingerprint]).to eq(expected)
    end

    it "generates expected metadata_version" do
@@ -55,6 +57,15 @@ describe Gitlab::Ci::Parsers::Security::ContainerScanning do
            'url' => 'https://security-tracker.debian.org/tracker/CVE-2017-18269'
          }
        ],
+        'location' => {
+          'operating_system' => 'debian:9',
+          'dependency' => {
+            'package' => {
+              'name' => 'glibc'
+            },
+            'version' => '2.24-11+deb9u3'
+          }
+        },
        'links' => [{ 'url' => 'https://security-tracker.debian.org/tracker/CVE-2017-18269' }],
        'description' => 'SSE2-optimized memmove implementation problem.',
        'priority' => 'Unknown',

--- a/spec/fixtures/security-reports/feature-branch/gl-container-scanning-report.json
+++ b/spec/fixtures/security-reports/feature-branch/gl-container-scanning-report.json
 {
  "image": "registry.gitlab.com/bikebilly/auto-devops-10-6/feature-branch:e7315ba964febb11bac8f5cd6ec433db8a3a1583",
-    "unapproved": [
-        "CVE-2017-15650"
-    ],
+  "unapproved": ["CVE-2017-15650"],
  "vulnerabilities": [
    {
      "featurename": "musl",