diff options
| author | Kamil Trzciński <ayufan@ayufan.eu> | 2018-12-03 15:19:53 +0000 |
|---|---|---|
| committer | Kamil Trzciński <ayufan@ayufan.eu> | 2018-12-03 15:19:53 +0000 |
| commit | 59de4e8f5f41e48541268d951b74a42bbac3fb31 (patch) | |
| tree | 767323d98954f88792557a7caf06d174e0e28cf7 | |
| parent | 19ef77a1cdd9959489037450d5061ea4728ae40b (diff) | |
| parent | 2e9ce523a12ea4d7724f3a4f664e379cf8ab1e21 (diff) | |
| download | gitlab-ce-59de4e8f5f41e48541268d951b74a42bbac3fb31.tar.gz | |
Merge branch 'ce-6718_store_dependency_scanning_results_in_db' into 'master'
Update Dependency Scanning report fixtures
See merge request gitlab-org/gitlab-ce!23460
| -rw-r--r-- | spec/fixtures/security-reports/feature-branch/gl-dependency-scanning-report.json | 166 | ||||
| -rw-r--r-- | spec/fixtures/security-reports/master/gl-dependency-scanning-report.json | 161 |
2 files changed, 277 insertions, 50 deletions
diff --git a/spec/fixtures/security-reports/feature-branch/gl-dependency-scanning-report.json b/spec/fixtures/security-reports/feature-branch/gl-dependency-scanning-report.json index 4b47e259c0f..314f04107eb 100644 --- a/spec/fixtures/security-reports/feature-branch/gl-dependency-scanning-report.json +++ b/spec/fixtures/security-reports/feature-branch/gl-dependency-scanning-report.json @@ -1,46 +1,154 @@ [ { - "priority": "Unknown", - "file": "pom.xml", - "cve": "CVE-2012-4387", - "url": "http://struts.apache.org/docs/s2-011.html", - "message": "Long parameter name DoS for org.apache.struts/struts2-core", - "tools": [ - "gemnasium" + "category": "dependency_scanning", + "name": "io.netty/netty - CVE-2014-3488", + "message": "DoS by CPU exhaustion when using malicious SSL packets", + "cve": "app/pom.xml:io.netty/netty@3.9.1.Final:CVE-2014-3488", + "severity": "Unknown", + "solution": "Upgrade to the latest version", + "scanner": { + "id": "gemnasium", + "name": "Gemnasium" + }, + "location": { + "file": "app/pom.xml" + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-d1bf36d9-9f07-46cd-9cfc-8675338ada8f", + "value": "d1bf36d9-9f07-46cd-9cfc-8675338ada8f", + "url": "https://deps.sec.gitlab.com/packages/maven/io.netty/netty/versions/3.9.1.Final/advisories" + }, + { + "type": "cve", + "name": "CVE-2014-3488", + "value": "CVE-2014-3488", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3488" + } + ], + "links": [ + { + "url": "https://bugzilla.redhat.com/CVE-2014-3488" + }, + { + "url": "http://netty.io/news/2014/06/11/3.html" + }, + { + "url": "https://github.com/netty/netty/issues/2562" + } ], + "priority": "Unknown", + "file": "app/pom.xml", + "url": "https://bugzilla.redhat.com/CVE-2014-3488", "tool": "gemnasium" }, { - "priority": "Unknown", - "file": "pom.xml", - "cve": "CVE-2013-1966", - "url": "http://struts.apache.org/docs/s2-014.html", - "message": "Remote command execution due to flaw in the includeParams attribute of URL and Anchor tags for org.apache.struts/struts2-core", - "tools": [ - "gemnasium" + "category": "dependency_scanning", + "name": "Django - CVE-2017-12794", + "message": "Possible XSS in traceback section of technical 500 debug page", + "cve": "app/requirements.txt:Django@1.11.3:CVE-2017-12794", + "severity": "Unknown", + "solution": "Upgrade to latest version or apply patch.", + "scanner": { + "id": "gemnasium", + "name": "Gemnasium" + }, + "location": { + "file": "app/requirements.txt" + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-6162a015-8635-4a15-8d7c-dc9321db366f", + "value": "6162a015-8635-4a15-8d7c-dc9321db366f", + "url": "https://deps.sec.gitlab.com/packages/pypi/Django/versions/1.11.3/advisories" + }, + { + "type": "cve", + "name": "CVE-2017-12794", + "value": "CVE-2017-12794", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12794" + } + ], + "links": [ + { + "url": "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/" + } ], + "priority": "Unknown", + "file": "app/requirements.txt", + "url": "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/", "tool": "gemnasium" }, { - "priority": "Unknown", - "file": "pom.xml", - "cve": "CVE-2013-2115", - "url": "http://struts.apache.org/docs/s2-014.html", - "message": "Remote command execution due to flaw in the includeParams attribute of URL and Anchor tags for org.apache.struts/struts2-core", - "tools": [ - "gemnasium" + "category": "dependency_scanning", + "name": "nokogiri - USN-3424-1", + "message": "Vulnerabilities in libxml2", + "cve": "rails/Gemfile.lock:nokogiri@1.8.0:USN-3424-1", + "severity": "Unknown", + "solution": "Upgrade to latest version.", + "scanner": { + "id": "gemnasium", + "name": "Gemnasium" + }, + "location": { + "file": "rails/Gemfile.lock" + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-06565b64-486d-4326-b906-890d9915804d", + "value": "06565b64-486d-4326-b906-890d9915804d", + "url": "https://deps.sec.gitlab.com/packages/gem/nokogiri/versions/1.8.0/advisories" + }, + { + "type": "usn", + "name": "USN-3424-1", + "value": "USN-3424-1", + "url": "https://usn.ubuntu.com/3424-1/" + } + ], + "links": [ + { + "url": "https://github.com/sparklemotion/nokogiri/issues/1673" + } ], + "priority": "Unknown", + "file": "rails/Gemfile.lock", + "url": "https://github.com/sparklemotion/nokogiri/issues/1673", "tool": "gemnasium" }, { - "priority": "Unknown", - "file": "pom.xml", - "cve": "CVE-2013-2134", - "url": "http://struts.apache.org/docs/s2-015.html", - "message": "Arbitrary OGNL code execution via unsanitized wildcard matching for org.apache.struts/struts2-core", - "tools": [ - "gemnasium" + "category": "dependency_scanning", + "name": "ffi - CVE-2018-1000201", + "message": "ruby-ffi DDL loading issue on Windows OS", + "cve": "ffi:1.9.18:CVE-2018-1000201", + "severity": "High", + "solution": "upgrade to \u003e= 1.9.24", + "scanner": { + "id": "bundler_audit", + "name": "bundler-audit" + }, + "location": { + "file": "sast-sample-rails/Gemfile.lock" + }, + "identifiers": [ + { + "type": "cve", + "name": "CVE-2018-1000201", + "value": "CVE-2018-1000201", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000201" + } ], - "tool": "gemnasium" + "links": [ + { + "url": "https://github.com/ffi/ffi/releases/tag/1.9.24" + } + ], + "priority": "High", + "file": "sast-sample-rails/Gemfile.lock", + "url": "https://github.com/ffi/ffi/releases/tag/1.9.24", + "tool": "bundler_audit" } ] diff --git a/spec/fixtures/security-reports/master/gl-dependency-scanning-report.json b/spec/fixtures/security-reports/master/gl-dependency-scanning-report.json index b4e4e8e7dd5..314f04107eb 100644 --- a/spec/fixtures/security-reports/master/gl-dependency-scanning-report.json +++ b/spec/fixtures/security-reports/master/gl-dependency-scanning-report.json @@ -1,35 +1,154 @@ [ { - "priority": "Unknown", - "file": "pom.xml", - "cve": "CVE-2012-4386", - "url": "http://struts.apache.org/docs/s2-010.html", - "message": "CSRF protection bypass for org.apache.struts/struts2-core", - "tools": [ - "gemnasium" + "category": "dependency_scanning", + "name": "io.netty/netty - CVE-2014-3488", + "message": "DoS by CPU exhaustion when using malicious SSL packets", + "cve": "app/pom.xml:io.netty/netty@3.9.1.Final:CVE-2014-3488", + "severity": "Unknown", + "solution": "Upgrade to the latest version", + "scanner": { + "id": "gemnasium", + "name": "Gemnasium" + }, + "location": { + "file": "app/pom.xml" + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-d1bf36d9-9f07-46cd-9cfc-8675338ada8f", + "value": "d1bf36d9-9f07-46cd-9cfc-8675338ada8f", + "url": "https://deps.sec.gitlab.com/packages/maven/io.netty/netty/versions/3.9.1.Final/advisories" + }, + { + "type": "cve", + "name": "CVE-2014-3488", + "value": "CVE-2014-3488", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3488" + } + ], + "links": [ + { + "url": "https://bugzilla.redhat.com/CVE-2014-3488" + }, + { + "url": "http://netty.io/news/2014/06/11/3.html" + }, + { + "url": "https://github.com/netty/netty/issues/2562" + } ], + "priority": "Unknown", + "file": "app/pom.xml", + "url": "https://bugzilla.redhat.com/CVE-2014-3488", "tool": "gemnasium" }, { - "priority": "Unknown", - "file": "pom.xml", - "cve": "CVE-2012-4387", - "url": "http://struts.apache.org/docs/s2-011.html", - "message": "Long parameter name DoS for org.apache.struts/struts2-core", - "tools": [ - "gemnasium" + "category": "dependency_scanning", + "name": "Django - CVE-2017-12794", + "message": "Possible XSS in traceback section of technical 500 debug page", + "cve": "app/requirements.txt:Django@1.11.3:CVE-2017-12794", + "severity": "Unknown", + "solution": "Upgrade to latest version or apply patch.", + "scanner": { + "id": "gemnasium", + "name": "Gemnasium" + }, + "location": { + "file": "app/requirements.txt" + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-6162a015-8635-4a15-8d7c-dc9321db366f", + "value": "6162a015-8635-4a15-8d7c-dc9321db366f", + "url": "https://deps.sec.gitlab.com/packages/pypi/Django/versions/1.11.3/advisories" + }, + { + "type": "cve", + "name": "CVE-2017-12794", + "value": "CVE-2017-12794", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12794" + } ], + "links": [ + { + "url": "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/" + } + ], + "priority": "Unknown", + "file": "app/requirements.txt", + "url": "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/", "tool": "gemnasium" }, { - "priority": "Unknown", - "file": "pom.xml", - "cve": "CVE-2013-1966", - "url": "http://struts.apache.org/docs/s2-014.html", - "message": "Remote command execution due to flaw in the includeParams attribute of URL and Anchor tags for org.apache.struts/struts2-core", - "tools": [ - "gemnasium" + "category": "dependency_scanning", + "name": "nokogiri - USN-3424-1", + "message": "Vulnerabilities in libxml2", + "cve": "rails/Gemfile.lock:nokogiri@1.8.0:USN-3424-1", + "severity": "Unknown", + "solution": "Upgrade to latest version.", + "scanner": { + "id": "gemnasium", + "name": "Gemnasium" + }, + "location": { + "file": "rails/Gemfile.lock" + }, + "identifiers": [ + { + "type": "gemnasium", + "name": "Gemnasium-06565b64-486d-4326-b906-890d9915804d", + "value": "06565b64-486d-4326-b906-890d9915804d", + "url": "https://deps.sec.gitlab.com/packages/gem/nokogiri/versions/1.8.0/advisories" + }, + { + "type": "usn", + "name": "USN-3424-1", + "value": "USN-3424-1", + "url": "https://usn.ubuntu.com/3424-1/" + } ], + "links": [ + { + "url": "https://github.com/sparklemotion/nokogiri/issues/1673" + } + ], + "priority": "Unknown", + "file": "rails/Gemfile.lock", + "url": "https://github.com/sparklemotion/nokogiri/issues/1673", "tool": "gemnasium" + }, + { + "category": "dependency_scanning", + "name": "ffi - CVE-2018-1000201", + "message": "ruby-ffi DDL loading issue on Windows OS", + "cve": "ffi:1.9.18:CVE-2018-1000201", + "severity": "High", + "solution": "upgrade to \u003e= 1.9.24", + "scanner": { + "id": "bundler_audit", + "name": "bundler-audit" + }, + "location": { + "file": "sast-sample-rails/Gemfile.lock" + }, + "identifiers": [ + { + "type": "cve", + "name": "CVE-2018-1000201", + "value": "CVE-2018-1000201", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000201" + } + ], + "links": [ + { + "url": "https://github.com/ffi/ffi/releases/tag/1.9.24" + } + ], + "priority": "High", + "file": "sast-sample-rails/Gemfile.lock", + "url": "https://github.com/ffi/ffi/releases/tag/1.9.24", + "tool": "bundler_audit" } ] |