Module: Enums::Vulnerability

Defined in:: app/models/concerns/enums/vulnerability.rb

Constant Summary collapse

CONFIDENCE_LEVELS =

{
  # undefined: 0, no longer applicable
  ignore: 1,
  unknown: 2,
  experimental: 3,
  low: 4,
  medium: 5,
  high: 6,
  confirmed: 7
}.with_indifferent_access.freeze

REPORT_TYPES =

{
  sast: 0,
  secret_detection: 4
}.with_indifferent_access.freeze

SEVERITY_LEVELS =

{
  # undefined: 0, no longer applicable
  info: 1,
  unknown: 2,
  # experimental: 3, formerly used by confidence, no longer applicable
  low: 4,
  medium: 5,
  high: 6,
  critical: 7
}.with_indifferent_access.freeze

DETECTION_METHODS =

{
  gitlab_security_report: 0,
  external_security_report: 1,
  bug_bounty: 2,
  code_review: 3,
  security_audit: 4
}.with_indifferent_access.freeze

VULNERABILITY_STATES = keep the order of the values in the state enum, it is used in state_order method to properly order vulnerabilities based on state remember to recreate index_vulnerabilities_on_state_case_id index when you update or extend this enum

{
  detected: 1,
  confirmed: 4,
  resolved: 3,
  dismissed: 2
}.with_indifferent_access.freeze

OWASP_TOP_10_BY_YEAR =

{
  '2017' => {
    "A1:2017-Injection" => 1,
    "A2:2017-Broken Authentication" => 2,
    "A3:2017-Sensitive Data Exposure" => 3,
    "A4:2017-XML External Entities (XXE)" => 4,
    "A5:2017-Broken Access Control" => 5,
    "A6:2017-Security Misconfiguration" => 6,
    "A7:2017-Cross-Site Scripting (XSS)" => 7,
    "A8:2017-Insecure Deserialization" => 8,
    "A9:2017-Using Components with Known Vulnerabilities" => 9,
    "A10:2017-Insufficient Logging & Monitoring" => 10
  },
  '2021' => {
    # 2021 switched to zero-padded identifiers, previous mapping is temporary
    # to be fixed with https://gitlab.com/gitlab-org/gitlab/-/issues/429565
    "A1:2021-Broken Access Control" => 11,
    "A01:2021-Broken Access Control" => 11,
    "A2:2021-Cryptographic Failures" => 12,
    "A02:2021-Cryptographic Failures" => 12,
    "A3:2021-Injection" => 13,
    "A03:2021-Injection" => 13,
    "A4:2021-Insecure Design" => 14,
    "A04:2021-Insecure Design" => 14,
    "A5:2021-Security Misconfiguration" => 15,
    "A05:2021-Security Misconfiguration" => 15,
    "A6:2021-Vulnerable and Outdated Components" => 16,
    "A06:2021-Vulnerable and Outdated Components" => 16,
    "A7:2021-Identification and Authentication Failures" => 17,
    "A07:2021-Identification and Authentication Failures" => 17,
    "A8:2021-Software and Data Integrity Failures" => 18,
    "A08:2021-Software and Data Integrity Failures" => 18,
    "A9:2021-Security Logging and Monitoring Failures" => 19,
    "A09:2021-Security Logging and Monitoring Failures" => 19,
    "A10:2021-Server-Side Request Forgery" => 20
  }
}.freeze

OWASP_TOP_10 =

OWASP_TOP_10_BY_YEAR.values.inject(&:merge).with_indifferent_access.freeze

OWASP_CATEGORIES =

OWASP_TOP_10.keys.map { |key| key.split(':').first }.uniq.freeze

OWASP_YEARS =

OWASP_TOP_10_BY_YEAR.keys.freeze

REPORT_TYPE_FEATURE_CATEGORIES =

{
  sast: 'static_application_security_testing',
  secret_detection: 'secret_detection'
}.freeze

Class Method Summary collapse

Class Method Details

.confidence_levels ⇒ `Object`



99
100
101

# File 'app/models/concerns/enums/vulnerability.rb', line 99

def self.confidence_levels
  CONFIDENCE_LEVELS
end

.detection_methods ⇒ `Object`



119
120
121

# File 'app/models/concerns/enums/vulnerability.rb', line 119

def self.detection_methods
  DETECTION_METHODS
end

.owasp_categories ⇒ `Object`



131
132
133

# File 'app/models/concerns/enums/vulnerability.rb', line 131

def self.owasp_categories
  OWASP_CATEGORIES
end

.owasp_top_10 ⇒ `Object`



127
128
129

# File 'app/models/concerns/enums/vulnerability.rb', line 127

def self.owasp_top_10
  OWASP_TOP_10
end

.owasp_years ⇒ `Object`



135
136
137

# File 'app/models/concerns/enums/vulnerability.rb', line 135

def self.owasp_years
  OWASP_YEARS
end

.parse_confidence_level(input) ⇒ `Object`



103
104
105

# File 'app/models/concerns/enums/vulnerability.rb', line 103

def self.parse_confidence_level(input)
  input&.downcase.then { |value| confidence_levels.key?(value) ? value : 'unknown' }
end

.parse_severity_level(input) ⇒ `Object`



115
116
117

# File 'app/models/concerns/enums/vulnerability.rb', line 115

def self.parse_severity_level(input)
  input&.downcase.then { |value| severity_levels.key?(value) ? value : 'unknown' }
end

.report_type_feature_categories ⇒ `Object`



139
140
141

# File 'app/models/concerns/enums/vulnerability.rb', line 139

def self.report_type_feature_categories
  REPORT_TYPE_FEATURE_CATEGORIES
end

.report_types ⇒ `Object`



107
108
109

# File 'app/models/concerns/enums/vulnerability.rb', line 107

def self.report_types
  REPORT_TYPES
end

.severity_levels ⇒ `Object`



111
112
113

# File 'app/models/concerns/enums/vulnerability.rb', line 111

def self.severity_levels
  SEVERITY_LEVELS
end

.vulnerability_states ⇒ `Object`



123
124
125

# File 'app/models/concerns/enums/vulnerability.rb', line 123

def self.vulnerability_states
  VULNERABILITY_STATES
end

Module: Enums::Vulnerability

Constant Summary collapse

Class Method Summary collapse

Class Method Details

.confidence_levels ⇒ Object

.detection_methods ⇒ Object

.owasp_categories ⇒ Object

.owasp_top_10 ⇒ Object

.owasp_years ⇒ Object

.parse_confidence_level(input) ⇒ Object

.parse_severity_level(input) ⇒ Object

.report_type_feature_categories ⇒ Object

.report_types ⇒ Object

.severity_levels ⇒ Object

.vulnerability_states ⇒ Object