Skip to content

feat(materials): Support Gitlab security report materials #1339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiparis merged 8 commits into from
Sep 19, 2024
Merged

feat(materials): Support Gitlab security report materials #1339

jiparis merged 8 commits into from
Sep 19, 2024

Conversation

@jiparis
Copy link
Member

@jiparis jiparis commented Sep 18, 2024
edited
Loading

This PR adds support for Gitlab security reports.
The implementation uses the Gitlab report Go bindings, so that all schemas are supported:

  • SAST
  • Secret scans
  • Dependency vulnerabilities
  • Container image scans
  • ...
> cldev att add --value pkg/attestation/crafter/materials/testdata/gl-sast-report.json
...
DBG added to state key=material-1726702768010409000
INF material kind detected kind=GITLAB_SECURITY_REPORT
INF material added to attestation

INF push completed
┌───────────────────┬──────────────────────────────────────┐
│ Initialized At    │ 18 Sep 24 23:54 UTC                  │
├───────────────────┼──────────────────────────────────────┤
│ Attestation ID    │ 3badba0b-808f-48f4-b1f2-8b79e3c10c51 │
│ Name              │ mywf                                 │
│ Team              │                                      │
│ Project           │ myproject                            │
│ Contract Revision │ 7                                    │
└───────────────────┴──────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────────────┐
│ Materials                                                                          │
├──────────┬─────────────────────────────────────────────────────────────────────────┤
│ Name     │ material-1726703690221133000                                            │
│ Type     │ GITLAB_SECURITY_REPORT                                                  │
│ Set      │ Yes                                                                     │
│ Required │ No                                                                      │
│ Value    │ gl-sast-report.json                                                     │
│ Digest   │ sha256:01b8e1eb13e5cc66e9c4dc9ae58439d3ca24b91adb8c373136ebd2019c3c1248 │
├──────────┼─────────────────────────────────────────────────────────────────────────┤
│ Name     │ material-1726703697961217000                                            │
│ Type     │ GITLAB_SECURITY_REPORT                                                  │
│ Set      │ Yes                                                                     │
│ Required │ No                                                                      │
│ Value    │ gl-container-scanning-report.json                                       │
│ Digest   │ sha256:0c8c2534a7ff1f1c6df81f752e5a58812f4753a9f3c2466c1b3e179aca723d77 │
└──────────┴─────────────────────────────────────────────────────────────────────────┘
Attestation Digest: sha256:1bb8f29a38648ffc6403818eeadc782f24329c0bd5b1338673820253b9cf0f99

Closes #1335

@jiparis
Add new material type
0ee9702 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
gitlab crafter
584138c 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
autodetect gitlab
22bdf75 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
go mod tidy
0377801 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
add new maaterial to docs
65f4708 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
docs
11f05be 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis marked this pull request as ready for review September 19, 2024 07:49
migmartri
migmartri approved these changes Sep 19, 2024
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

pkg/attestation/crafter/materials/gitlab.go Outdated
@@ -0,0 +1,68 @@
//
// Copyright 2023 The Chainloop Authors.
Copy link
Member

@migmartri migmartri Sep 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2024 :)

pkg/attestation/crafter/materials/gitlab.go
}

var glReport report.Report
if err = json.Unmarshal(data, &glReport); err != nil {
Copy link
Member

@migmartri migmartri Sep 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in a follow up patch we could validate the document against their json schema similarly to what we have done for cyclonedx? Do you mind creating an issue for that?

Copy link
Member Author

@jiparis jiparis Sep 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I decided doing it this way because they don't have a "base" schema, so we'd need to take one and remove the specifics from all the variants. Those differences are well located, though, we can do it anyways.

pkg/attestation/crafter/materials/gitlab.go Outdated
return fmt.Errorf("error unmarshalling report file: %w", err)
}

if glReport.Scan.Type == "" {
Copy link
Member

@migmartri migmartri Sep 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you might want to also make sure that Scan is not nil

Copy link
Member Author

@jiparis jiparis Sep 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In his case Scan is not a pointer, so always has a value.

pkg/attestation/crafter/materials/gitlab.go

var glReport report.Report
if err = json.Unmarshal(data, &glReport); err != nil {
return fmt.Errorf("error unmarshalling report file: %w", err)
Copy link
Member

@migmartri migmartri Sep 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what error do you get if you try to pass a random file as --kind GITLAB_SECURITY_REPORT` ?

Copy link
Member Author

@jiparis jiparis Sep 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here, nothing. json.Unmarshal by default ignores all unknown fields. We'd need to create a custom decoder to fail on ignored fields. I'll try that before merging.

javirln
javirln approved these changes Sep 19, 2024
View reviewed changes
Copy link
Member

@javirln javirln left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once validating against the json schemas we might need to rethink if the golang library is still needed.

Awesome Jose thanks 😬

@jiparis
improve validation
ca32e12 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
update readme
e11bc24 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis merged commit 2b688f1 into chainloop-dev:main Sep 19, 2024
@jiparis jiparis deleted the pfm-1243-1335 branch September 19, 2024 11:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri approved these changes

@javirln javirln javirln approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feature: support Gitlab Application Security report formats

3 participants

@jiparis @migmartri @javirln