Hi,
I am trying to integrate GitLab with other SAST solution, I configured the pipeline in that way:
pipeline scan:
stage: scan
dependencies:
- build_job
artifacts:
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
paths:
- results.json
- veracode_gitlab_vulnerabilities.json
reports:
sast: veracode_gitlab_vulnerabilities.json
expire_in: 1 week
when: always
script:
- curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- unzip pipeline-scan-LATEST.zip pipeline-scan.jar
- java -jar pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--file "build/libs/sample.jar"
--fail_on_severity="Very High, High"
--fail_on_cwe="80"
--baseline_file "${CI_BASELINE_PATH}"
--timeout "${CI_TIMEOUT}"
--project_name "${CI_PROJECT_PATH}"
--project_url "${CI_REPOSITORY_URL}"
--project_ref "${CI_COMMIT_REF_NAME}"
--gl_vulnerability_generation true
The most important lines for the GitLab integration are:
--gl_vulnerability_generation true
asks Veracode tool to generate the report in the GitLab format.
reports:
sast: veracode_gitlab_vulnerabilities.json
Points report file as a source for sast. I expect after that to see a new tab with the list of the discovered issues, but it’s not happening in my case.
Expecting to see “security” tab (screenshot taken from some tutorial):
but in my I don’t see this tab:
GL content
{
“version”: “14.1.1”,
“vulnerabilities”: [
{
“id”: “9fa5db50-0ef7-3df7-8629-73ceae66c352”,
“cve”: “9fa5db50-0ef7-3df7-8629-73ceae66c352”,
“category”: “sast”,
“name”: “Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)”,
“message”: “Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)”,
“description”: "This call to eval() contains untrusted input or potentially untrusted data. If this input could be modified by an attacker, arbitrary JS code could be executed. Validate all untrusted and untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input. ",
“severity”: “Critical”,
“confidence”: “High”,
“flaw_details_link”: “https://downloads.veracode.com/securityscan/cwe/v4/java/95.html”,
“scanner”: {
“id”: “veracode_ps”,
“name”: “Veracode Pipeline Scan”
},
“location”: {
“file”: “/src/main/webapp/WEB-INF/views/login.jsp”,
“start_line”: 39,
“end_line”: 39,
“class”: “UNKNOWN”,
“method”: “!main”,
“dependency”: {
“package”: {} } }, "identifiers": [ { "type": "CWE", "name": "CWE-95", "value": "95", "url": "https://cwe.mitre.org/data/definitions/95.html" } ] }]
}
My ideas why it may happens:
- In the company we are using premium Gitlab license do we need enterprise license to see ‘security’ this tab?
- maybe it’s a problem with some permissions?
