Viewing Vulnerabilities in the MR #
In this lab, we will go over how Vulnerabilities can be viewed as well as the information and actions available to a user. We are going to add some vulnerable code to a feature branch and then the scanners will run and display the found vulnerabilities.
The scanners run on a feature branch and display results within the MR, and if the MR is merged, the scans also run on the feature branch in order to populate the vulnerability reports. It can be seen here in a typical Software Development Lifecycle (SDLC).
Step 1: Adding Vulnerable Code #
Now let’s go ahead and add some vulnerabilities. We will make sure that something can be picked up by each type of scanner.
- Open the WebIDE from the project page
Note: To learn more about the GitLab Web IDE and how to use/configure it, checkout the Web IDE documentation
- Copy over the changes found in this Merge Request
Note: I’ll try to keep it up-to-date and re-based, if it isn’t open up an issue within the project
Click on the Source Control Tab on the left of the Web IDE. It looks as follows:
Click on the Commit & Push Button
In the Commit to new branch? dialog box, select Yes Commit to a new branch
Enter a branch name and press enter
On the bottom right of the screen a popup will appear, click on the Create MR button
Note: If you missed the popup you can create a merge request from the project’s merge request tab.
- Scroll down through the MR template and click on the Create merge request button
Now let’s wait for the pipeline to complete, this should take a few mins - so grab a coffee ☕️ or tea 🍵, or whatever you like! If the pipeline happens to fail, please checkout the troubleshooting documentation
Note: You won’t need to press the play button to deploy, it is done automatically since the branch created is not the default branch.
Step 2: Viewing Vulnerable Code #
Now we can view the vulnerabilities after the pipeline started above has completely run. Let’s dig into the vulnerabilities and perform some actions on them.
Go to the merge request created in Step one.
Within the merge request, press Expand on the Security Scans
Click on any of the detected vulnerabilities
Within the popup, dismiss the Vulnerability by clicking Dismiss vulnerability
Note: This allows AppSec teams to see what developers are dismissing as well as why. If this MR were to be merged, then the vulnerability will automatically be tagged as dismissed in the vulnerability report
Click on the same vulnerability
Click on Create issue
Note: This creates a confidential issue to allow developers and the security team to work together to resolve without showing information of the vulnerability to others
- Now let’s go back to the Merge Request by pressing the back button on your browser
Step 3: Viewing Denied Licenses #
Within the same MR view, we can see the licenses that were detected. You’ll be able to see which licenses are approved and denied according to the policy we set in an earlier lab.
Within the merge request expand the license section
See that the GNU Affero General Public License v3 or later (AGPLv3+) has been denied
Step 4: Viewing the Security Guardrails #
Click view eligible approvers
You should see that the merge request approvals are active
Note: We won’t be able to merge because the security approvals are present and there are vulnerabilities. If you want to merge this, you either need to resolve the vulnerabilities (which doesn’t make sense in this context, since the code is meant to introduce vulnerabilities) or remove the security approvals and reload the MR pipeline.
Merging the code will add the new results to the vulnerability reports and dashboard.
Congratulations! You have now successfully viewed vulnerabilities within an MR and the details to their resolution.