Security report ingestion overview
Definitions
-
Vulnerability Finding – an instance of
Vulnerabilities::Findingclass. This class was previously calledVulnerabilities::Occurrence; after renaming the class, we kept the associated table namevulnerability_occurrencesdue to the effort involved in renaming large tables. -
Vulnerability – an instance of
Vulnerabilityclass. They are created based on information available inVulnerabilities::Findingclass. EveryVulnerabilitymust have a correspondingVulnerabilities::Findingobject to be valid, however this is not enforced at the database level. -
Security Finding – an instance of
Security::Findingclass. They store partial finding data to improve performance of the pipeline security report. We are working on extending this class to store almost all required information so we can stop relying on job artifacts. -
Feedback – an instance of
Vulnerabilities::Feedbackclass. They are created to keep track of users’ interactions with Vulnerability Findings before they are promoted to a Vulnerability. We are in the process of removing this model via Deprecate and remove Vulnerabilities::Feedback epic. -
Issue Link – an instance of
Vulnerabilities::IssueLinkclass. They are used to linkVulnerabilityobjects toIssueobjects.
Vulnerability creation from security reports
Assumptions:
- Project uses GitLab CI
- Project uses security scanning tools
- No Vulnerabilities are present in the database
- All pipelines perform security scans
- Code is pushed to a branch that’s not the default branch.
- GitLab CI runs a new pipeline for that branch.
- Pipeline status transitions to any of
::Ci::Pipeline.completed_statuses. -
Security::StoreScansWorkeris called and it schedulesSecurity::StoreScansService. -
Security::StoreScansServicecallsSecurity::StoreGroupedScansService. -
Security::StoreGroupedScansServicecallsSecurity::StoreScanService. -
Security::StoreScanServicecallsSecurity::StoreFindingsService. - At this point we have
Security::Findingobjects only.
At this point, the following things can happen to the Security::Finding:
- Dismissal
- Issue creation
- Promotion to a Vulnerability
If the pipeline ran on the default branch then the following, additional steps are done:
-
Security::StoreScansServicegets called and schedulesSecurity::StoreSecurityReportsWorker. -
Security::StoreSecurityReportsWorkerexecutesSecurity::Ingestion::IngestReportsService. -
Security::Ingestion::IngestReportsServicetakes all reports from a given Pipeline and callsSecurity::Ingestion::IngestReportServiceand then callsSecurity::Ingestion::MarkAsResolvedService. -
Security::Ingestion::IngestReportServicecallsSecurity::Ingestion::IngestReportSliceServicewhich executes a number of tasks for a report slice.
Dismissal
If you select Dismiss vulnerability, a Feedback is created. You can also dismiss it with a comment.
After Feedback removal
If there is only a Security Finding, a Vulnerability Finding and a Vulnerability get created. At the same time we create a Vulnerabilities::StateTransition record to indicate the Vulnerability was dismissed.
Issue creation
If you select Create issue, a Vulnerabilities::Feedback record is created as well. The Feedback has a different feedback_type and an issue_id that’s not NULL.
Vulnerabilities::IssueLink record.After Feedback removal
If there’s only a Security Finding, a Vulnerability Finding and a Vulnerability gets created. At the same time, we create an Issue and a Issue Link.
Promotion to a Vulnerability
If the branch with a Security Finding gets merged into the default branch, all Security Findings get promoted into Vulnerabilities. Promotion is the process of creating Vulnerability Findings and Vulnerability records from those Security Findings.
If there’s a dismissal Feedback present for that Security Finding, the created Vulnerability is marked as dismissed.
If there’s an issue Feedback present for that Security Finding, we also create an Issue Link for that Vulnerability.