Commit 3d301244 authored by GitLab QA's avatar GitLab QA
Browse files

Create Secure compatible application to serve premade reports

parent fd1fb3a3
Pipeline #25324 passed with stage
in 10 seconds
include:
template: Dependency-Scanning.gitlab-ci.yml
template: Container-Scanning.gitlab-ci.yml
template: SAST.gitlab-ci.yml
template: DAST.gitlab-ci.yml
template: License-Scanning.gitlab-ci.yml
dependency_scanning:
tags: [secure_report]
script:
- echo "Skipped"
artifacts:
reports:
dependency_scanning: gl-dependency-scanning-report.json
container_scanning:
tags: [secure_report]
only: null # Template defaults to feature branches only
variables:
GIT_STRATEGY: fetch # Template defaults to none, which stops fetching the premade report
script:
- echo "Skipped"
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
sast:
tags: [secure_report]
only: null # Template defaults to feature branches only
script:
- echo "Skipped"
artifacts:
reports:
sast: gl-sast-report.json
dast:
tags: [secure_report]
only: null # Template defaults to feature branches only
script:
- echo "Skipped"
artifacts:
reports:
dast: gl-dast-report.json
license_scanning:
tags: [secure_report]
script:
- echo "Skipped"
artifacts:
reports:
license_scanning: gl-license-scanning-report.json
{
"version": "14.1.1",
"vulnerabilities": [
{
"category": "container_scanning",
"message": "CVE-2017-18269 in glibc",
"description": "Short description to match in specs",
"cve": "debian:9:glibc:CVE-2017-18269",
"severity": "Critical",
"confidence": "Unknown",
"solution": "Upgrade glibc from 2.24-11+deb9u3 to 2.24-11+deb9u4",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2017-18269",
"value": "CVE-2017-18269",
"url": "https://security-tracker.debian.org/tracker/CVE-2017-18269"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2017-18269"
}
]
},
{
"category": "container_scanning",
"message": "CVE-2017-16997 in glibc",
"description": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.",
"cve": "debian:9:glibc:CVE-2017-16997",
"severity": "Critical",
"confidence": "Unknown",
"solution": "Upgrade glibc from 2.24-11+deb9u3 to 2.24-11+deb9u4",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2017-16997",
"value": "CVE-2017-16997",
"url": "https://security-tracker.debian.org/tracker/CVE-2017-16997"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2017-16997"
}
]
},
{
"category": "container_scanning",
"message": "CVE-2018-1000001 in glibc",
"description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.",
"cve": "debian:9:glibc:CVE-2018-1000001",
"severity": "High",
"confidence": "Unknown",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2018-1000001",
"value": "CVE-2018-1000001",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-1000001"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2018-1000001"
}
]
},
{
"category": "container_scanning",
"message": "CVE-2016-10228 in glibc",
"description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
"cve": "debian:9:glibc:CVE-2016-10228",
"severity": "Medium",
"confidence": "Unknown",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2016-10228",
"value": "CVE-2016-10228",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-10228"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2016-10228"
}
]
},
{
"category": "container_scanning",
"message": "CVE-2018-18520 in elfutils",
"description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
"cve": "debian:9:elfutils:CVE-2018-18520",
"severity": "Low",
"confidence": "Unknown",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "elfutils"
},
"version": "0.168-1"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2018-18520",
"value": "CVE-2018-18520",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-18520"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2018-18520"
}
]
},
{
"category": "container_scanning",
"message": "CVE-2010-4052 in glibc",
"description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
"cve": "debian:9:glibc:CVE-2010-4052",
"severity": "Low",
"confidence": "Unknown",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2010-4052",
"value": "CVE-2010-4052",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4052"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4052"
}
]
},
{
"category": "container_scanning",
"message": "CVE-2018-16869 in nettle",
"description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
"cve": "debian:9:nettle:CVE-2018-16869",
"severity": "Unknown",
"confidence": "Unknown",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "nettle"
},
"version": "3.3-1"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2018-16869",
"value": "CVE-2018-16869",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-16869"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2018-16869"
}
]
},
{
"category": "container_scanning",
"message": "CVE-2018-18311 in perl",
"description": "Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"cve": "debian:9:perl:CVE-2018-18311",
"severity": "Unknown",
"confidence": "Unknown",
"solution": "Upgrade perl from 5.24.1-3+deb9u3 to 5.24.1-3+deb9u5",
"scanner": {
"id": "trivy",
"name": "trivy"
},
"location": {
"dependency": {
"package": {
"name": "perl"
},
"version": "5.24.1-3+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2018-18311",
"value": "CVE-2018-18311",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-18311"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2018-18311"
}
]
}
],
"remediations": []
}
This diff is collapsed.
This diff is collapsed.
{
"version": "2.1",
"licenses": [
{
"id": "Apache-2.0",
"name": "Apache License 2.0",
"url": "http://www.apache.org/licenses/LICENSE-2.0.html"
},
{
"id": "MIT",
"name": "MIT License",
"url": "http://opensource.org/licenses/mit-license"
}
],
"dependencies": [
{
"name": "test_dependency",
"version": "0.1.0",
"package_manager": "bundler",
"path": "Gemfile.lock",
"licenses": ["Apache-2.0"]
},
{
"name": "actioncable",
"version": "1.2",
"url": "http://rubyonrails.org",
"package_manager": "bundler",
"description": "WebSocket framework for Rails.",
"path": ".",
"licenses": ["MIT"]
}
]
}
{
"version": "14.1.1",
"vulnerabilities": [
{
"category": "sast",
"message": "Probable insecure usage of temp file/directory.",
"cve": "python/hardcoded/hardcoded-tmp.py:52865813c884a507be1f152d654245af34aba8a391626d01f1ab6d3f52ec8779:B108",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-tmp.py",
"start_line": 1,
"end_line": 1
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
}
],
"priority": "Medium",
"file": "python/hardcoded/hardcoded-tmp.py",
"line": 1,
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html",
"tool": "bandit"
},
{
"category": "sast",
"name": "Predictable pseudorandom number generator",
"message": "Predictable pseudorandom number generator",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:47:PREDICTABLE_RANDOM",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 47,
"end_line": 47,
"class": "com.gitlab.security_products.tests.App",
"method": "generateSecretToken2"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-PREDICTABLE_RANDOM",
"value": "PREDICTABLE_RANDOM",
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 47,
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:017017b77deb0b8369b6065947833eeea752a92ec8a700db590fece3e934cf0d:B303",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 13,
"end_line": 13
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 13,
"tool": "bandit"
},
{
"category": "sast",
"message": "Pickle library appears to be in use, possible security issue.",
"cve": "python/imports/imports-aliases.py:5f200d47291e7bbd8352db23019b85453ca048dd98ea0c291260fa7d009963a4:B301",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 15,
"end_line": 15
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B301",
"value": "B301"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 15,
"tool": "bandit"
},
{
"category": "sast",
"name": "Possible unprotected redirect",
"message": "Possible unprotected redirect",
"description": "Possible unprotected redirect near line 46",
"cve": "373414e0effe673bb93d1d8994f3e511ff089ce79337a16577e087556e9ae3cd",
"severity": "Low",
"confidence": "Low",
"scanner": {
"id": "brakeman",
"name": "Brakeman"
},
"location": {
"file": "app/controllers/groups_controller.rb",
"start_line": 6,
"class": "GroupsController",
"method": "new_group"
},
"flags": [
{
"type": "flagged-as-likely-false-positive",
"origin": "vet",
"description": "This vulnerability has been identified as a potential false positive by the VET post-analyzer"
}
],
"identifiers": [
{
"type": "brakeman_warning_code",
"name": "Brakeman Warning Code 18",
"value": "18",
"url": "https://brakemanscanner.org/docs/warning_types/redirect/"
}
]
},
{
"category": "sast",
"name": "Cipher with no integrity",
"message": "Cipher with no integrity",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:29:CIPHER_INTEGRITY",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 29,
"end_line": 29,
"class": "com.gitlab.security_products.tests.App",
"method": "insecureCypher"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-CIPHER_INTEGRITY",
"value": "CIPHER_INTEGRITY",
"url": "https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 29,
"url": "https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY",
"tool": "find_sec_bugs"
}
]
}
This diff is collapsed.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment