Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/development/integrations/secure.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/development/integrations/secure.md')
-rw-r--r--doc/development/integrations/secure.md32
1 files changed, 14 insertions, 18 deletions
diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md
index 55e57a3c2ee..2c5dd1c0500 100644
--- a/doc/development/integrations/secure.md
+++ b/doc/development/integrations/secure.md
@@ -1,6 +1,6 @@
---
-stage: Protect
-group: Container Security
+stage: Secure
+group: Static Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
@@ -254,7 +254,7 @@ Following the POSIX exit code standard, the scanner exits with 0 for success and
Success also includes the case when vulnerabilities are found.
When a CI job fails, security report results are not ingested by GitLab, even if the job
-[allows failure](../../ci/yaml/#allow_failure). The report artifacts are still uploaded to GitLab and available
+[allows failure](../../ci/yaml/index.md#allow_failure). The report artifacts are still uploaded to GitLab and available
for [download in the pipeline security tab](../../user/application_security/vulnerability_report/pipeline.md#download-security-scan-outputs).
When executing a scanning job using the [Docker-in-Docker privileged mode](../../user/application_security/sast/index.md#requirements),
@@ -488,8 +488,8 @@ the risk. End-users interact with this field, whereas GitLab automatically proce
##### Identifiers
The `identifiers` array describes the detected vulnerability. An identifier object's `type` and
-`value` fields are used to tell if two identifiers are the same. The user interface uses the
-object's `name` and `url` fields to display the identifier.
+`value` fields are used to [tell if two identifiers are the same](../../user/application_security/vulnerability_report/pipeline.md#deduplication-process).
+The user interface uses the object's `name` and `url` fields to display the identifier.
We recommend that you use the identifiers the GitLab scanners already define:
@@ -509,12 +509,10 @@ which is shared by some of the analyzers that GitLab maintains. You can [contrib
new generic identifiers to if needed. Analyzers may also produce vendor-specific or product-specific
identifiers, which don't belong in the [common library](https://gitlab.com/gitlab-org/security-products/analyzers/common).
-The first item of the `identifiers` array is called the
-[primary identifier](../../user/application_security/terminology/index.md#primary-identifier).
-The primary identifier is particularly important, because it is used to
+The first item of the `identifiers` array is called the
+[primary identifier](../../user/application_security/terminology/index.md#primary-identifier), and
+it is used to
[track vulnerabilities](#tracking-and-merging-vulnerabilities) as new commits are pushed to the repository.
-Identifiers are also used to [merge duplicate vulnerabilities](#tracking-and-merging-vulnerabilities)
-reported for the same commit, except for `CWE` and `WASC`.
Not all vulnerabilities have CVEs, and a CVE can be identified multiple times. As a result, a CVE
isn't a stable identifier and you shouldn't assume it as such when tracking vulnerabilities.
@@ -666,11 +664,14 @@ Users may give feedback on a vulnerability:
GitLab tracks vulnerabilities so that user feedback is not lost
when new Git commits are pushed to the repository.
-Vulnerabilities are tracked using a combination of three attributes:
+Vulnerabilities are tracked using a
+[`UUIDv5`](https://gitlab.com/gitlab-org/gitlab/-/blob/1272957c4a55e616569721febccb685c056ca1e4/ee/app/models/vulnerabilities/finding.rb#L364-368)
+digest, which is generated by a `SHA-1` hash of four attributes:
- [Report type](#category)
-- [Location fingerprint](#location)
- [Primary identifier](#identifiers)
+- [Location fingerprint](#location)
+- Project ID
Right now, GitLab cannot track a vulnerability if its location changes
as new Git commits are pushed, and this results in user feedback being lost.
@@ -678,12 +679,7 @@ For instance, user feedback on a SAST vulnerability is lost
if the affected file is renamed or the affected line moves down.
This is addressed in [issue #7586](https://gitlab.com/gitlab-org/gitlab/-/issues/7586).
-In some cases, the multiple scans executed in the same CI pipeline result in duplicates
-that are automatically merged using the vulnerability location and identifiers.
-Two vulnerabilities are considered to be the same if they share the same [location fingerprint](#location)
-and at least one [identifier](#identifiers). Two identifiers are the same if they share the same `type` and `id`.
-CWE and WASC identifiers are not considered because they describe categories of vulnerability flaws,
-but not specific security flaws.
+See also [deduplication process](../../user/application_security/vulnerability_report/pipeline.md#deduplication-process).
##### Severity and confidence
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-12 00:33:37 +0300