Module: VulnerabilityFindingHelpers

Extended by:

ActiveSupport::Concern

Included in:

Gitlab::Ci::Reports::Security::Finding

Defined in:

app/models/concerns/vulnerability_finding_helpers.rb

Constant Summary

REPORT_TYPES_REQUIRING_MANUAL_RESOLUTION =

Manually resolvable report types cannot be considered fixed once removed from the target branch due to requiring active triage, such as rotation of an exposed token.

%w[secret_detection].freeze

Instance Method Summary

• #build_vulnerability_finding(security_finding) ⇒ Object
• #calculate_false_positive? ⇒ Boolean
• #matches_signatures(other_signatures, other_uuid) ⇒ Object
• #requires_manual_resolution? ⇒ Boolean
• #signature_uuids ⇒ Object

Instance Method Details

#build_vulnerability_finding(security_finding) ⇒ Object

# File 'app/models/concerns/vulnerability_finding_helpers.rb', line 46

def build_vulnerability_finding(security_finding)
  report_finding = report_finding_for(security_finding)
  return Vulnerabilities::Finding.new unless report_finding

  finding_data = report_finding.to_hash.except(
    :compare_key, :identifiers, :location, :scanner, :links, :signatures, :flags, :evidence
  )
  identifiers = report_finding.identifiers.uniq(&:fingerprint).map do |identifier|
    Vulnerabilities::Identifier.new(identifier.to_hash.merge({ project: project }))
  end
  signatures = report_finding.signatures.map do |signature|
    Vulnerabilities::FindingSignature.new(signature.to_hash)
  end
  evidence = Vulnerabilities::Finding::Evidence.new(data: report_finding.evidence.data) if report_finding.evidence

  Vulnerabilities::Finding.new(finding_data).tap do |finding|
    finding.uuid = security_finding.uuid
    finding.location_fingerprint = report_finding.location.fingerprint
    finding.vulnerability = vulnerability_for(security_finding.uuid)
    finding.project = project
    finding.sha = pipeline.sha
    finding.scanner = security_finding.scanner
    finding.finding_evidence = evidence

    if calculate_false_positive?
      finding.vulnerability_flags = report_finding.flags.map do |flag|
        Vulnerabilities::Flag.new(flag)
      end
    end

    finding.identifiers = identifiers
    finding.primary_identifier = identifiers.first
    finding.signatures = signatures
  end
end

#calculate_false_positive? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/concerns/vulnerability_finding_helpers.rb', line 82

def calculate_false_positive?
  project.licensed_feature_available?(:sast_fp_reduction)
end

#matches_signatures(other_signatures, other_uuid) ⇒ Object

# File 'app/models/concerns/vulnerability_finding_helpers.rb', line 14

def matches_signatures(other_signatures, other_uuid)
  other_signature_types = other_signatures.index_by(&:algorithm_type)

  # highest first
  match_result = nil
  signatures.sort_by(&:priority).reverse_each do |signature|
    matching_other_signature = other_signature_types[signature.algorithm_type]
    next if matching_other_signature.nil?

    match_result = matching_other_signature == signature
    break
  end

  if match_result.nil?
    [uuid, *signature_uuids].include?(other_uuid)
  else
    match_result
  end
end

#requires_manual_resolution? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/concerns/vulnerability_finding_helpers.rb', line 10

def requires_manual_resolution?
  REPORT_TYPES_REQUIRING_MANUAL_RESOLUTION.include?(report_type)
end

#signature_uuids ⇒ Object

# File 'app/models/concerns/vulnerability_finding_helpers.rb', line 34

def signature_uuids
  signatures.map do |signature|
    hex_sha = signature.signature_hex
    ::Security::VulnerabilityUUID.generate(
      report_type: report_type,
      location_fingerprint: hex_sha,
      primary_identifier_fingerprint: primary_identifier&.fingerprint,
      project_id: project_id
    )
  end
end