Integrate with external SAST - security tab is not displayed

Hi,

I am trying to integrate GitLab with other SAST solution, I configured the pipeline in that way:

pipeline scan:
  stage: scan
  dependencies:
    - build_job
  artifacts:
    name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
    paths:
      - results.json
      - veracode_gitlab_vulnerabilities.json
    reports:
      sast: veracode_gitlab_vulnerabilities.json
    expire_in: 1 week
    when: always
  script:
    - curl -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
    - unzip pipeline-scan-LATEST.zip pipeline-scan.jar
    - java -jar pipeline-scan.jar
      --veracode_api_id "${VERACODE_API_ID}"
      --veracode_api_key "${VERACODE_API_SECRET}"
      --file "build/libs/sample.jar"
      --fail_on_severity="Very High, High"
      --fail_on_cwe="80"
      --baseline_file "${CI_BASELINE_PATH}"
      --timeout "${CI_TIMEOUT}"
      --project_name "${CI_PROJECT_PATH}"
      --project_url "${CI_REPOSITORY_URL}"
      --project_ref "${CI_COMMIT_REF_NAME}"
      --gl_vulnerability_generation true

The most important lines for the GitLab integration are:

--gl_vulnerability_generation true
asks Veracode tool to generate the report in the GitLab format.

reports:
  sast: veracode_gitlab_vulnerabilities.json

Points report file as a source for sast. I expect after that to see a new tab with the list of the discovered issues, but it’s not happening in my case.

Expecting to see “security” tab (screenshot taken from some tutorial):

but in my I don’t see this tab:

GL content

{
“version”: “14.1.1”,
“vulnerabilities”: [
{
“id”: “9fa5db50-0ef7-3df7-8629-73ceae66c352”,
“cve”: “9fa5db50-0ef7-3df7-8629-73ceae66c352”,
“category”: “sast”,
“name”: “Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)”,
“message”: “Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)”,
“description”: "This call to eval() contains untrusted input or potentially untrusted data. If this input could be modified by an attacker, arbitrary JS code could be executed. Validate all untrusted and untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input. ",
“severity”: “Critical”,
“confidence”: “High”,
“flaw_details_link”: “https://downloads.veracode.com/securityscan/cwe/v4/java/95.html”,
“scanner”: {
“id”: “veracode_ps”,
“name”: “Veracode Pipeline Scan”
},
“location”: {
“file”: “/src/main/webapp/WEB-INF/views/login.jsp”,
“start_line”: 39,
“end_line”: 39,
“class”: “UNKNOWN”,
“method”: “!main”,
“dependency”: {
“package”: {

      }
    }
  },
  "identifiers": [
    {
      "type": "CWE",
      "name": "CWE-95",
      "value": "95",
      "url": "https://cwe.mitre.org/data/definitions/95.html"
    }
  ]
}

]
}

My ideas why it may happens:

  • In the company we are using premium Gitlab license do we need enterprise license to see ‘security’ this tab?
  • maybe it’s a problem with some permissions?

@jhrom Welcome to the community.

  • In the company we are using premium Gitlab license do we need enterprise license to see ‘security’ this tab?

Viewing vulnerabilities in a pipeline is an Ultimate only feature. Since you are using GitLab Premium, it will not be visible. Hope it answers your question :slight_smile:

Thanks