249 lines
11 KiB
Markdown
249 lines
11 KiB
Markdown
---
|
|
type: reference, howto
|
|
stage: Secure
|
|
group: Threat Insights
|
|
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
|
|
---
|
|
|
|
# Vulnerability Report **(ULTIMATE)**
|
|
|
|
The Vulnerability Report provides information about vulnerabilities from scans of the default branch. It contains cumulative results of all successful jobs, regardless of whether the pipeline was successful.
|
|
|
|
The scan results from a pipeline are only ingested after all the jobs in the pipeline complete. Partial results for a pipeline with jobs in progress can be seen in the pipeline security tab.
|
|
|
|
The report is available for projects, groups, and the Security Center.
|
|
|
|
At all levels, the Vulnerability Report contains:
|
|
|
|
- Totals of vulnerabilities per severity level.
|
|
- Filters for common vulnerability attributes.
|
|
- Details of each vulnerability, presented in tabular layout.
|
|
|
|
The **Activity** column contains icons to indicate the activity, if any, taken on the vulnerability
|
|
in that row:
|
|
|
|
- Issues **{issues}**: Links to issues created for the vulnerability. For more details, read
|
|
[Create an issue for a vulnerability](../vulnerabilities/index.md#create-an-issue-for-a-vulnerability).
|
|
- Wrench **{admin}**: The vulnerability has been remediated.
|
|
- False positive **{false-positive}**: The scanner determined this vulnerability to be a false
|
|
positive.
|
|
|
|
![Example project-level Vulnerability Report](img/project_level_vulnerability_report_v14_5.png)
|
|
|
|
## Project-level Vulnerability Report
|
|
|
|
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/6165) in GitLab 11.1.
|
|
|
|
The project-level Vulnerability Report also contains:
|
|
|
|
- A time stamp showing when it was updated, including a link to the latest pipeline.
|
|
- The number of failures that occurred in the most recent pipeline. Select the failure
|
|
notification to view the **Failed jobs** tab of the pipeline's page.
|
|
|
|
To access the report, navigate to **Security & Compliance > Vulnerability Report**.
|
|
|
|
## Vulnerability Report actions
|
|
|
|
From the Vulnerability Report you can:
|
|
|
|
- [Filter the list of vulnerabilities](#filter-the-list-of-vulnerabilities).
|
|
- [View more details about a vulnerability](#view-details-of-a-vulnerability).
|
|
- [View vulnerable source location](#view-vulnerable-source-location) (if available).
|
|
- [View an issue raised for a vulnerability](#view-issues-raised-for-a-vulnerability).
|
|
- [Change the status of vulnerabilities](#change-status-of-vulnerabilities).
|
|
- [Export details of vulnerabilities](#export-vulnerability-details).
|
|
- [Manually add a vulnerability finding](#manually-add-a-vulnerability-finding).
|
|
|
|
## Vulnerability Report filters
|
|
|
|
You can filter the vulnerabilities table by:
|
|
|
|
<!-- vale gitlab.SubstitutionWarning = NO -->
|
|
|
|
| Filter | Available options |
|
|
|:---------|:------------------|
|
|
| Status | Detected, Confirmed, Dismissed, Resolved. |
|
|
| Severity | Critical, High, Medium, Low, Info, Unknown. |
|
|
| Tool | For more details, see [Tool filter](#tool-filter). |
|
|
| Project | For more details, see [Project filter](#project-filter). |
|
|
| Activity | For more details, see [Activity filter](#activity-filter). |
|
|
|
|
<!-- vale gitlab.SubstitutionWarning = YES -->
|
|
|
|
### Filter the list of vulnerabilities
|
|
|
|
To filter the list of vulnerabilities:
|
|
|
|
1. Select a filter.
|
|
1. Select values from the dropdown.
|
|
1. Repeat the above steps for each desired filter.
|
|
|
|
After each filter is selected:
|
|
|
|
- The list of matching vulnerabilities is updated.
|
|
- The vulnerability severity totals are updated.
|
|
|
|
The filters' criteria are combined to show only vulnerabilities matching all criteria.
|
|
An exception to this behavior is the Activity filter. For more details about how it works, see
|
|
[Activity filter](#activity-filter).
|
|
|
|
## Tool filter
|
|
|
|
The tool filter allows you to focus on vulnerabilities detected by selected tools.
|
|
|
|
When using the tool filter, you can choose:
|
|
|
|
- **All tools** (default).
|
|
- Individual GitLab-provided tools.
|
|
- Any integrated 3rd-party tool. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/229661) in GitLab 13.12.
|
|
|
|
For details of each of the available tools, see [Security scanning tools](../index.md#security-scanning-tools).
|
|
|
|
### Project filter
|
|
|
|
The content of the Project filter depends on the current level:
|
|
|
|
| Level | Content of the Project filter |
|
|
|:---------------|:------------------------------|
|
|
| Security Center | Only projects you've [added to your personal Security Center](../security_dashboard/index.md#add-projects-to-the-security-center). |
|
|
| Group level | All projects in the group. |
|
|
| Project level | Not applicable. |
|
|
|
|
### Activity filter
|
|
|
|
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/259255) in GitLab 13.9
|
|
|
|
The Activity filter behaves differently from the other filters. The selected values form mutually
|
|
exclusive sets to allow for precisely locating the desired vulnerability records. Additionally, not
|
|
all options can be selected in combination.
|
|
|
|
Selection behavior when using the Activity filter:
|
|
|
|
| Activity selection | Results displayed |
|
|
|:------------------------------------|:------------------|
|
|
| All | Vulnerabilities with any Activity status (same as ignoring this filter). Selecting this deselects any other Activity filter options. |
|
|
| No activity | Only vulnerabilities without either an associated Issue or that are no longer detected. Selecting this deselects any other Activity filter options. |
|
|
| With issues | Only vulnerabilities with one or more associated issues. Does not include vulnerabilities that also are no longer detected. |
|
|
| No longer detected | Only vulnerabilities that are no longer detected in the latest pipeline scan of the `default` branch. Does not include vulnerabilities with one or more associated issues. |
|
|
| With issues and No longer detected | Only vulnerabilities that have one or more associated issues and also are no longer detected in the latest pipeline scan of the `default` branch. |
|
|
|
|
## View details of a vulnerability
|
|
|
|
To view more details of a vulnerability, select the vulnerability's **Description**. The
|
|
[vulnerability's details](../vulnerabilities) page is opened.
|
|
|
|
## View vulnerable source location
|
|
|
|
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/267509) in GitLab 13.10.
|
|
|
|
Some security scanners output the filename and line number of a potential vulnerability. When
|
|
that information is available, the vulnerability's details include a link to the relevant file,
|
|
in the default branch.
|
|
|
|
To view the relevant file, select the filename in the vulnerability's details.
|
|
|
|
## View issues raised for a vulnerability
|
|
|
|
The **Activity** column indicates the number of issues that have been created for the vulnerability.
|
|
Hover over an **Activity** entry and select a link go to that issue. The status of whether the issue is open or closed also displays in the hover menu.
|
|
|
|
![Display attached issues](img/vulnerability_list_table_v13_9.png)
|
|
|
|
If Jira issue support is enabled, the issue link found in the Activity entry links out to the issue in Jira. Unlike GitLab issues, the status of whether a Jira issue is Open or Closed does not display in the GitLab UI.
|
|
|
|
## Change status of vulnerabilities
|
|
|
|
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/292636) in GitLab 13.10, all statuses became selectable.
|
|
|
|
To change the status of vulnerabilities in the table:
|
|
|
|
1. Select the checkbox for each vulnerability you want to update the status of.
|
|
1. In the dropdown that appears select the desired status, then select **Change status**.
|
|
|
|
![Project Vulnerability Report](img/project_security_dashboard_status_change_v14_2.png)
|
|
|
|
### Change status of multiple vulnerabilities
|
|
|
|
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35816) in GitLab 12.9.
|
|
|
|
You can change the status of multiple vulnerabilities at once:
|
|
|
|
1. In the list of vulnerabilities, select the checkbox for each vulnerability you want to update.
|
|
To select all, select the checkbox in the table header.
|
|
1. Above the table, select a new status.
|
|
1. Click **Change status** to save.
|
|
|
|
## Export vulnerability details
|
|
|
|
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213014) in the Security Center (previously known as the Instance Security Dashboard) and project-level Vulnerability Report (previously known as the Project Security Dashboard) in GitLab 13.0.
|
|
> - [Added](https://gitlab.com/gitlab-org/gitlab/-/issues/213013) to the group-level Vulnerability Report in GitLab 13.1.
|
|
|
|
You can export details of the vulnerabilities listed in the Vulnerability Report. The export format
|
|
is CSV (comma separated values). Note that all vulnerabilities are included because filters don't
|
|
apply to the export.
|
|
|
|
Fields included are:
|
|
|
|
- Group name
|
|
- Project name
|
|
- Scanner type
|
|
- Scanner name
|
|
- Status
|
|
- Vulnerability
|
|
- Details
|
|
- Additional information
|
|
- Severity
|
|
- [CVE](https://cve.mitre.org/) (Common Vulnerabilities and Exposures)
|
|
- [CWE](https://cwe.mitre.org/) (Common Weakness Enumeration)
|
|
- Other identifiers
|
|
|
|
### Export details in CSV format
|
|
|
|
To export details of all vulnerabilities listed in the Vulnerability Report, select **Export**.
|
|
|
|
The details are retrieved from the database, then the CSV file is downloaded to your local
|
|
computer.
|
|
|
|
NOTE:
|
|
It may take several minutes for the download to start if your project contains
|
|
thousands of vulnerabilities. Don't close the page until the download finishes.
|
|
|
|
## Dismiss a vulnerability
|
|
|
|
> The option of adding a dismissal reason was introduced in GitLab 12.0.
|
|
|
|
You can dismiss a vulnerability for the entire project:
|
|
|
|
1. Select the vulnerability in the Security Dashboard.
|
|
1. In the top-right, from the **Status** selector menu, select **Dismissed**.
|
|
1. Optional. Add a reason for the dismissal and select **Save comment**.
|
|
|
|
To undo this action, select a different status from the same menu.
|
|
|
|
## Manually add a vulnerability finding
|
|
|
|
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/301003) in GitLab 14.9. Disabled by default.
|
|
|
|
FLAG:
|
|
This feature is not enabled by default. To make it available, ask an administrator to
|
|
[enable the feature flag](../../feature_flags.md) named `new_vulnerability_form`.
|
|
On GitLab.com, this feature is not yet available.
|
|
|
|
To add a new vulnerability finding from your project level Vulnerability Report page:
|
|
|
|
1. On the top bar, select **Menu > Projects** and find your project.
|
|
1. On the left sidebar, select **Security & Compliance > Vulnerability Report**.
|
|
1. Click on **Submit Vulnerability**.
|
|
1. Complete the fields and submit the form.
|
|
|
|
You will be brought to the newly created vulnerability's detail page. Manually created records appear in the
|
|
Group, Project, and Security Center Vulnerability Reports. To filter them, use the Generic Tool filter.
|
|
|
|
## Operational vulnerabilities
|
|
|
|
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/6345) in GitLab 14.6.
|
|
|
|
The **Operational vulnerabilities** tab lists vulnerabilities found by the `cluster_image_scanner`.
|
|
This tab appears on the project, group, and Security Center vulnerability reports.
|
|
|
|
![Operational Vulnerability Tab](img/operational_vulnerability_tab_v14_6.png)
|