debian-mirror-gitlab/lib/gitlab/ci/parsers/security/common.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

321 lines
11 KiB
Ruby
Raw Normal View History

2021-10-27 15:23:28 +05:30
# frozen_string_literal: true
module Gitlab
module Ci
module Parsers
module Security
class Common
SecurityReportParserError = Class.new(Gitlab::Ci::Parsers::ParserError)
2022-10-11 01:57:18 +05:30
def self.parse!(json_data, report, signatures_enabled: false, validate: false)
new(json_data, report, signatures_enabled: signatures_enabled, validate: validate).parse!
2021-10-27 15:23:28 +05:30
end
2022-10-11 01:57:18 +05:30
def initialize(json_data, report, signatures_enabled: false, validate: false)
2021-10-27 15:23:28 +05:30
@json_data = json_data
@report = report
2022-06-21 17:19:12 +05:30
@project = report.project
2021-10-27 15:23:28 +05:30
@validate = validate
2022-10-11 01:57:18 +05:30
@signatures_enabled = signatures_enabled
2021-10-27 15:23:28 +05:30
end
def parse!
2022-05-07 20:08:51 +05:30
set_report_version
2021-10-27 15:23:28 +05:30
return report_data unless valid?
raise SecurityReportParserError, "Invalid report format" unless report_data.is_a?(Hash)
2022-10-11 01:57:18 +05:30
create_scanner(top_level_scanner_data)
2021-10-27 15:23:28 +05:30
create_scan
create_analyzer
create_findings
report_data
rescue JSON::ParserError
raise SecurityReportParserError, 'JSON parsing failed'
2021-12-11 22:18:48 +05:30
rescue StandardError
2021-10-27 15:23:28 +05:30
raise SecurityReportParserError, "#{report.type} security report parsing failed"
end
private
2023-01-13 00:05:48 +05:30
attr_reader :json_data, :report, :validate, :project
2021-10-27 15:23:28 +05:30
def valid?
2022-11-25 23:54:43 +05:30
return true unless validate
2022-05-07 20:08:51 +05:30
2022-11-25 23:54:43 +05:30
schema_validation_passed = schema_validator.valid?
2022-05-07 20:08:51 +05:30
2022-11-25 23:54:43 +05:30
schema_validator.errors.each { |error| report.add_error('Schema', error) }
schema_validator.deprecation_warnings.each { |deprecation_warning| report.add_warning('Schema', deprecation_warning) }
schema_validator.warnings.each { |warning| report.add_warning('Schema', warning) }
2021-10-27 15:23:28 +05:30
2022-11-25 23:54:43 +05:30
schema_validation_passed
2021-10-27 15:23:28 +05:30
end
def schema_validator
2022-06-21 17:19:12 +05:30
@schema_validator ||= ::Gitlab::Ci::Parsers::Security::Validators::SchemaValidator.new(
report.type,
report_data,
report.version,
project: @project,
2022-10-11 01:57:18 +05:30
scanner: top_level_scanner_data
2022-06-21 17:19:12 +05:30
)
2021-10-27 15:23:28 +05:30
end
2023-03-04 22:38:38 +05:30
# New Oj parsers are not thread safe, therefore,
# we need to initialize them for each thread.
def introspect_parser
Thread.current[:introspect_parser] ||= Oj::Introspect.new(filter: "remediations")
end
2021-10-27 15:23:28 +05:30
def report_data
2023-03-04 22:38:38 +05:30
@report_data ||= introspect_parser.parse(json_data)
2021-10-27 15:23:28 +05:30
end
def report_version
@report_version ||= report_data['version']
end
2022-10-11 01:57:18 +05:30
def top_level_scanner_data
@top_level_scanner_data ||= report_data.dig('scan', 'scanner')
2021-10-27 15:23:28 +05:30
end
def scan_data
@scan_data ||= report_data.dig('scan')
end
def analyzer_data
@analyzer_data ||= report_data.dig('scan', 'analyzer')
end
def tracking_data(data)
data['tracking']
end
def create_findings
if report_data["vulnerabilities"]
report_data["vulnerabilities"].each { |finding| create_finding(finding) }
end
end
def create_finding(data, remediations = [])
identifiers = create_identifiers(data['identifiers'])
2021-11-11 11:23:49 +05:30
flags = create_flags(data['flags'])
2021-10-27 15:23:28 +05:30
links = create_links(data['links'])
location = create_location(data['location'] || {})
2022-05-07 20:08:51 +05:30
evidence = create_evidence(data['evidence'])
2021-10-27 15:23:28 +05:30
signatures = create_signatures(tracking_data(data))
2022-10-11 01:57:18 +05:30
if @signatures_enabled && !signatures.empty?
2021-10-27 15:23:28 +05:30
# NOT the signature_sha - the compare key is hashed
# to create the project_fingerprint
highest_priority_signature = signatures.max_by(&:priority)
uuid = calculate_uuid_v5(identifiers.first, highest_priority_signature.signature_hex)
else
uuid = calculate_uuid_v5(identifiers.first, location&.fingerprint)
end
report.add_finding(
::Gitlab::Ci::Reports::Security::Finding.new(
uuid: uuid,
report_type: report.type,
name: finding_name(data, identifiers, location),
compare_key: data['cve'] || '',
location: location,
2022-05-07 20:08:51 +05:30
evidence: evidence,
2021-10-27 15:23:28 +05:30
severity: parse_severity_level(data['severity']),
confidence: parse_confidence_level(data['confidence']),
2022-10-11 01:57:18 +05:30
scanner: create_scanner(top_level_scanner_data || data['scanner']),
2021-10-27 15:23:28 +05:30
scan: report&.scan,
identifiers: identifiers,
2021-11-11 11:23:49 +05:30
flags: flags,
2021-10-27 15:23:28 +05:30
links: links,
remediations: remediations,
2021-12-11 22:18:48 +05:30
original_data: data,
2021-10-27 15:23:28 +05:30
metadata_version: report_version,
details: data['details'] || {},
signatures: signatures,
2022-06-21 17:19:12 +05:30
project_id: @project.id,
2023-05-27 22:25:52 +05:30
found_by_pipeline: report.pipeline,
2022-10-11 01:57:18 +05:30
vulnerability_finding_signatures_enabled: @signatures_enabled))
2021-10-27 15:23:28 +05:30
end
def create_signatures(tracking)
tracking ||= { 'items' => [] }
signature_algorithms = Hash.new { |hash, key| hash[key] = [] }
tracking['items'].each do |item|
next unless item.key?('signatures')
item['signatures'].each do |signature|
alg = signature['algorithm']
signature_algorithms[alg] << signature['value']
end
end
signature_algorithms.map do |algorithm, values|
value = values.join('|')
signature = ::Gitlab::Ci::Reports::Security::FindingSignature.new(
algorithm_type: algorithm,
signature_value: value
)
2023-01-13 00:05:48 +05:30
signature if signature.valid?
2021-10-27 15:23:28 +05:30
end.compact
end
def create_scan
return unless scan_data.is_a?(Hash)
report.scan = ::Gitlab::Ci::Reports::Security::Scan.new(scan_data)
end
def set_report_version
report.version = report_version
end
def create_analyzer
return unless analyzer_data.is_a?(Hash)
params = {
id: analyzer_data.dig('id'),
name: analyzer_data.dig('name'),
version: analyzer_data.dig('version'),
vendor: analyzer_data.dig('vendor', 'name')
}
return unless params.values.all?
report.analyzer = ::Gitlab::Ci::Reports::Security::Analyzer.new(**params)
end
2022-10-11 01:57:18 +05:30
def create_scanner(scanner_data)
2021-10-27 15:23:28 +05:30
return unless scanner_data.is_a?(Hash)
report.add_scanner(
::Gitlab::Ci::Reports::Security::Scanner.new(
external_id: scanner_data['id'],
name: scanner_data['name'],
vendor: scanner_data.dig('vendor', 'name'),
2022-11-25 23:54:43 +05:30
version: scanner_data.dig('version'),
primary_identifiers: create_scan_primary_identifiers))
end
# TODO: primary_identifiers should be initialized on the
# scan itself but we do not currently parse scans through `MergeReportsService`
def create_scan_primary_identifiers
return unless scan_data.is_a?(Hash) && scan_data.dig('primary_identifiers')
scan_data.dig('primary_identifiers').map do |identifier|
::Gitlab::Ci::Reports::Security::Identifier.new(
external_type: identifier['type'],
external_id: identifier['value'],
name: identifier['name'],
url: identifier['url'])
end
2021-10-27 15:23:28 +05:30
end
def create_identifiers(identifiers)
return [] unless identifiers.is_a?(Array)
identifiers.map { |identifier| create_identifier(identifier) }.compact
end
def create_identifier(identifier)
return unless identifier.is_a?(Hash)
report.add_identifier(
::Gitlab::Ci::Reports::Security::Identifier.new(
external_type: identifier['type'],
external_id: identifier['value'],
name: identifier['name'],
url: identifier['url']))
end
2021-11-11 11:23:49 +05:30
def create_flags(flags)
return [] unless flags.is_a?(Array)
flags.map { |flag| create_flag(flag) }.compact
end
def create_flag(flag)
return unless flag.is_a?(Hash)
::Gitlab::Ci::Reports::Security::Flag.new(type: flag['type'], origin: flag['origin'], description: flag['description'])
end
2021-10-27 15:23:28 +05:30
def create_links(links)
return [] unless links.is_a?(Array)
links.map { |link| create_link(link) }.compact
end
def create_link(link)
return unless link.is_a?(Hash)
::Gitlab::Ci::Reports::Security::Link.new(name: link['name'], url: link['url'])
end
def parse_severity_level(input)
input&.downcase.then { |value| ::Enums::Vulnerability.severity_levels.key?(value) ? value : 'unknown' }
end
def parse_confidence_level(input)
input&.downcase.then { |value| ::Enums::Vulnerability.confidence_levels.key?(value) ? value : 'unknown' }
end
def create_location(location_data)
raise NotImplementedError
end
2022-05-07 20:08:51 +05:30
def create_evidence(evidence_data)
return unless evidence_data.is_a?(Hash)
::Gitlab::Ci::Reports::Security::Evidence.new(data: evidence_data)
end
2021-10-27 15:23:28 +05:30
def finding_name(data, identifiers, location)
return data['message'] if data['message'].present?
return data['name'] if data['name'].present?
identifier = identifiers.find(&:cve?) || identifiers.find(&:cwe?) || identifiers.first
2023-04-23 21:23:45 +05:30
if location&.fingerprint_path
"#{identifier.name} in #{location.fingerprint_path}"
else
identifier.name.to_s
end
2021-10-27 15:23:28 +05:30
end
def calculate_uuid_v5(primary_identifier, location_fingerprint)
uuid_v5_name_components = {
report_type: report.type,
primary_identifier_fingerprint: primary_identifier&.fingerprint,
location_fingerprint: location_fingerprint,
2022-06-21 17:19:12 +05:30
project_id: @project.id
2021-10-27 15:23:28 +05:30
}
if uuid_v5_name_components.values.any?(&:nil?)
Gitlab::AppLogger.warn(message: "One or more UUID name components are nil", components: uuid_v5_name_components)
return
end
::Security::VulnerabilityUUID.generate(
report_type: uuid_v5_name_components[:report_type],
primary_identifier_fingerprint: uuid_v5_name_components[:primary_identifier_fingerprint],
location_fingerprint: uuid_v5_name_components[:location_fingerprint],
project_id: uuid_v5_name_components[:project_id]
)
end
end
end
end
end
end
Gitlab::Ci::Parsers::Security::Common.prepend_mod_with("Gitlab::Ci::Parsers::Security::Common")