From 3cccd102ba543e02725d247893729e5c73b38295 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 20 Apr 2022 10:00:54 +0000 Subject: Add latest changes from gitlab-org/gitlab@14-10-stable-ee --- .../master/gl-sast-report-bandit.json | 43 +++++++++++++ .../master/gl-sast-report-gosec.json | 68 +++++++++++++++++++++ .../master/gl-sast-report-semgrep-for-bandit.json | 71 ++++++++++++++++++++++ .../master/gl-sast-report-semgrep-for-gosec.json | 70 +++++++++++++++++++++ 4 files changed, 252 insertions(+) create mode 100644 spec/fixtures/security_reports/master/gl-sast-report-bandit.json create mode 100644 spec/fixtures/security_reports/master/gl-sast-report-gosec.json create mode 100644 spec/fixtures/security_reports/master/gl-sast-report-semgrep-for-bandit.json create mode 100644 spec/fixtures/security_reports/master/gl-sast-report-semgrep-for-gosec.json (limited to 'spec/fixtures/security_reports') diff --git a/spec/fixtures/security_reports/master/gl-sast-report-bandit.json b/spec/fixtures/security_reports/master/gl-sast-report-bandit.json new file mode 100644 index 00000000000..a80833354ed --- /dev/null +++ b/spec/fixtures/security_reports/master/gl-sast-report-bandit.json @@ -0,0 +1,43 @@ +{ + "version": "14.0.4", + "vulnerabilities": [ + { + "id": "985a5666dcae22adef5ac12f8a8a2dacf9b9b481ae5d87cd0ac1712b0fd64864", + "category": "sast", + "message": "Deserialization of Untrusted Data", + "description": "Avoid using `load()`. `PyYAML.load` can create arbitrary Python\nobjects. A malicious actor could exploit this to run arbitrary\ncode. Use `safe_load()` instead.\n", + "cve": "", + "severity": "Critical", + "scanner": { + "id": "bandit", + "name": "Bandit" + }, + "location": { + "file": "app/app.py", + "start_line": 39 + }, + "identifiers": [ + { + "type": "bandit_test_id", + "name": "Bandit Test ID B506", + "value": "B506" + } + ] + } + ], + "scan": { + "scanner": { + "id": "bandit", + "name": "Bandit", + "url": "https://github.com/PyCQA/bandit", + "vendor": { + "name": "GitLab" + }, + "version": "1.7.1" + }, + "type": "sast", + "start_time": "2022-03-11T00:21:49", + "end_time": "2022-03-11T00:21:50", + "status": "success" + } +} diff --git a/spec/fixtures/security_reports/master/gl-sast-report-gosec.json b/spec/fixtures/security_reports/master/gl-sast-report-gosec.json new file mode 100644 index 00000000000..42986ea1045 --- /dev/null +++ b/spec/fixtures/security_reports/master/gl-sast-report-gosec.json @@ -0,0 +1,68 @@ +{ + "version": "14.0.4", + "vulnerabilities": [ + { + "id": "2e5656ff30e2e7cc93c36b4845c8a689ddc47fdbccf45d834c67442fbaa89be0", + "category": "sast", + "name": "Key Exchange without Entity Authentication", + "message": "Use of ssh InsecureIgnoreHostKey should be audited", + "description": "The software performs a key exchange with an actor without verifying the identity of that actor.", + "cve": "og.go:8:7: func foo() {\n8: \t_ = ssh.InsecureIgnoreHostKey()\n9: }\n:CWE-322", + "severity": "Medium", + "confidence": "High", + "raw_source_code_extract": "7: func foo() {\n8: \t_ = ssh.InsecureIgnoreHostKey()\n9: }\n", + "scanner": { + "id": "gosec", + "name": "Gosec" + }, + "location": { + "file": "og.go", + "start_line": 8 + }, + "identifiers": [ + { + "type": "gosec_rule_id", + "name": "Gosec Rule ID G106", + "value": "G106" + }, + { + "type": "CWE", + "name": "CWE-322", + "value": "322", + "url": "https://cwe.mitre.org/data/definitions/322.html" + } + ], + "tracking": { + "type": "source", + "items": [ + { + "file": "og.go", + "line_start": 8, + "line_end": 8, + "signatures": [ + { + "algorithm": "scope_offset", + "value": "og.go|foo[0]:1" + } + ] + } + ] + } + } + ], + "scan": { + "scanner": { + "id": "gosec", + "name": "Gosec", + "url": "https://github.com/securego/gosec", + "vendor": { + "name": "GitLab" + }, + "version": "2.10.0" + }, + "type": "sast", + "start_time": "2022-03-15T20:33:12", + "end_time": "2022-03-15T20:33:17", + "status": "success" + } +} diff --git a/spec/fixtures/security_reports/master/gl-sast-report-semgrep-for-bandit.json b/spec/fixtures/security_reports/master/gl-sast-report-semgrep-for-bandit.json new file mode 100644 index 00000000000..2a60a75366e --- /dev/null +++ b/spec/fixtures/security_reports/master/gl-sast-report-semgrep-for-bandit.json @@ -0,0 +1,71 @@ +{ + "version": "14.0.4", + "vulnerabilities": [ + { + "id": "985a5666dcae22adef5ac12f8a8a2dacf9b9b481ae5d87cd0ac1712b0fd64864", + "category": "sast", + "message": "Deserialization of Untrusted Data", + "description": "Avoid using `load()`. `PyYAML.load` can create arbitrary Python\nobjects. A malicious actor could exploit this to run arbitrary\ncode. Use `safe_load()` instead.\n", + "cve": "", + "severity": "Critical", + "scanner": { + "id": "semgrep", + "name": "Semgrep" + }, + "location": { + "file": "app/app.py", + "start_line": 39 + }, + "identifiers": [ + { + "type": "semgrep_id", + "name": "bandit.B506", + "value": "bandit.B506", + "url": "https://semgrep.dev/r/gitlab.bandit.B506" + }, + { + "type": "cwe", + "name": "CWE-502", + "value": "502", + "url": "https://cwe.mitre.org/data/definitions/502.html" + }, + { + "type": "bandit_test_id", + "name": "Bandit Test ID B506", + "value": "B506" + } + ], + "tracking": { + "type": "source", + "items": [ + { + "file": "app/app.py", + "line_start": 39, + "line_end": 39, + "signatures": [ + { + "algorithm": "scope_offset", + "value": "app/app.py|yaml_hammer[0]:13" + } + ] + } + ] + } + } + ], + "scan": { + "scanner": { + "id": "semgrep", + "name": "Semgrep", + "url": "https://github.com/returntocorp/semgrep", + "vendor": { + "name": "GitLab" + }, + "version": "0.82.0" + }, + "type": "sast", + "start_time": "2022-03-11T18:48:16", + "end_time": "2022-03-11T18:48:22", + "status": "success" + } +} diff --git a/spec/fixtures/security_reports/master/gl-sast-report-semgrep-for-gosec.json b/spec/fixtures/security_reports/master/gl-sast-report-semgrep-for-gosec.json new file mode 100644 index 00000000000..3d8c65d5823 --- /dev/null +++ b/spec/fixtures/security_reports/master/gl-sast-report-semgrep-for-gosec.json @@ -0,0 +1,70 @@ +{ + "version": "14.0.4", + "vulnerabilities": [ + { + "id": "79f6537b7ec83c7717f5bd1a4f12645916caafefe2e4359148d889855505aa67", + "category": "sast", + "message": "Key Exchange without Entity Authentication", + "description": "Audit the use of ssh.InsecureIgnoreHostKey\n", + "cve": "", + "severity": "Medium", + "scanner": { + "id": "semgrep", + "name": "Semgrep" + }, + "location": { + "file": "og.go", + "start_line": 8 + }, + "identifiers": [ + { + "type": "semgrep_id", + "name": "gosec.G106-1", + "value": "gosec.G106-1" + }, + { + "type": "cwe", + "name": "CWE-322", + "value": "322", + "url": "https://cwe.mitre.org/data/definitions/322.html" + }, + { + "type": "gosec_rule_id", + "name": "Gosec Rule ID G106", + "value": "G106" + } + ], + "tracking": { + "type": "source", + "items": [ + { + "file": "og.go", + "line_start": 8, + "line_end": 8, + "signatures": [ + { + "algorithm": "scope_offset", + "value": "og.go|foo[0]:1" + } + ] + } + ] + } + } + ], + "scan": { + "scanner": { + "id": "semgrep", + "name": "Semgrep", + "url": "https://github.com/returntocorp/semgrep", + "vendor": { + "name": "GitLab" + }, + "version": "0.82.0" + }, + "type": "sast", + "start_time": "2022-03-15T20:36:58", + "end_time": "2022-03-15T20:37:05", + "status": "success" + } +} -- cgit v1.2.3