-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add report format "GitLab", which conforms to [1] and can be consumed by gitlab to generate SAST vulnerability reports [2]., [1] https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.6/dist/dependency-scanning-report-format.json?ref_type=tags [2] https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#reports-json-format
- Loading branch information
Showing
2 changed files
with
149 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,137 @@ | ||
| { | ||
| "version": "15.0.6", | ||
| "schema": "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.6/dist/dependency-scanning-report-format.json?ref_type=tags", ##todo | ||
| "scan": { | ||
| ## this describes the tool responsible for scanning | ||
| "scanner": { | ||
| "id": "org.owasp.dependency-check", | ||
| "name": "Dependency-Check Core", | ||
| "version": "$enc.json($version)", | ||
| "vendor": { | ||
| "name": "OWASP" | ||
| }, | ||
|
|
||
| ## optional properties | ||
| "url": "https://github.com/jeremylong/DependencyCheck/" | ||
| }, | ||
| ## this describes the tool responsible for interpreting the scan result | ||
| ## in our case it's the same as the scanner | ||
| "analyzer": { | ||
| "id": "org.owasp.dependency-check", | ||
| "name": "Dependency-Check Core", | ||
| "version": "$enc.json($version)", | ||
| "vendor": { | ||
| "name": "OWASP" | ||
| }, | ||
|
|
||
| ## optional properties | ||
| "url": "https://github.com/jeremylong/DependencyCheck/" | ||
| }, | ||
|
|
||
| "end_time": "$enc.json($scanDateGitLab)", | ||
| ## we don't acutally have the real start time, so this is the best we can do | ||
| "start_time": "$enc.json($scanDateGitLab)", | ||
| ## we only generate a scan report, if the scan has successfully finished | ||
| "status": #if($exceptions) "failure" #else "success" #end , | ||
| ## this is the only type of scan there is according to the format definition | ||
| "type": "dependency_scanning" | ||
|
|
||
| ## optional properties | ||
| ## "messages": [], --> not implemented | ||
| ##"options": [], --> not implemented | ||
| ##"primary_identifiers": [], --> not implemented | ||
| }, | ||
| "vulnerabilities": [ | ||
| #set( $vulnerability_first = true ) | ||
| #foreach( $dependency in $dependencies ) | ||
| #if( $dependency.vulnerabilities.size() != 0 ) | ||
| #foreach( $vulnerability in $dependency.getVulnerabilities(true) ) | ||
| ## make sure to insert comma between array elements | ||
| #if( $vulnerability_first == true ) | ||
| #set( $vulnerability_first = false ) | ||
| #else | ||
| , | ||
| #end | ||
| ## ((List<Dependency>)context.get("dependencies")).get(5).getVulnerabilities().stream().collect(Collectors.toList()).get(0) | ||
| { | ||
| "id": "$enc.json($vulnerability.name)", ##todo | ||
| "identifiers": [ | ||
| #foreach( $ref in $vulnerability.getReferences(true) ) | ||
| { | ||
| "type": "$enc.json($ref.source)", | ||
| "name": "$enc.json($ref.name)", | ||
| "value": "$enc.json($ref.name)", | ||
|
|
||
| ## optional properties | ||
| "url": "$enc.json($ref.url)" | ||
| } | ||
| #if( $foreach.hasNext ),#end | ||
| #end | ||
| ], | ||
| "location": { | ||
| "file": "$enc.json($dependency.filePath)", | ||
| "dependency": { | ||
| "package": { | ||
| "name": "$enc.json($dependency.name)" | ||
| }, | ||
| "version": "$enc.json($dependency.version)" | ||
| ## optional properties | ||
| ## "iid": "", --> not implemented | ||
| ## "direct": false, --> not implemented | ||
| ## we don't have a good way of assigning iids, so this won't work | ||
| ##"dependency_path": [ | ||
| ## #foreach( $inc in $dependency.includedBy ) | ||
| ## { | ||
| ## "iid": | ||
| ## } | ||
| ## #if( $foreach.hasNext ),#end | ||
| ## #end | ||
| ##] | ||
| } | ||
| }, | ||
|
|
||
| ## optional properties | ||
| "name": "$enc.json($vulnerability.name)", | ||
| "description": "$enc.json($vulnerability.description)", | ||
| "severity": "$enc.json($vulnerability.cvssV3.getBaseSeverity())", | ||
| ## we have to include this field to be compliant with the format spec | ||
| "solution": "" ## todo: not in our dataset? | ||
|
|
||
| ## "links": [], --> not implemented | ||
| ## "details": [], --> not implemented | ||
| ## "tracking": {}, --> not implemented | ||
| ## "flags": [], --> not implemented. | ||
| } | ||
| #end | ||
| #end | ||
| #end | ||
| ], | ||
| "dependency_files": [ | ||
| ## for lack of better knowledge, we just assume we have only scanned a single pom.xml file… | ||
| { | ||
| "path": "pom.xml", | ||
| "package_manager": "maven", | ||
| "dependencies": [ | ||
| #foreach( $dependency in $dependencies ) | ||
| { | ||
| "package": { | ||
| "name": "$enc.json($dependency.name)" | ||
| }, | ||
| "version": "$enc.json($dependency.version)" | ||
|
|
||
| ## optional properties | ||
| ## "iid": number, --> not implemtend | ||
| ##"direct": false, --> not implemeten | ||
| ##"dependency_path": [] --> not implemented | ||
| } | ||
| #if( $foreach.hasNext ),#end | ||
| #end | ||
| ] | ||
| ## no optional properties | ||
| } | ||
| ], | ||
|
|
||
| ## optional properties | ||
| "remediations": [], ## not implemented | ||
|
|
||
| } |