[go: up one dir, main page]
Skip to content

Spike: Investigate failure to send expected Slack Notifications for all vulnerabilities when a slack notification webhook is configured

Description

In #348467 (closed) it was noted that not all vulnerabilities detected by a scanner are being reported by the slack notification webhook as expected. The purpose of this spike is to investigate what in the code is resulting in this loss of notifications.

@minac suspected the integration_data of the vulnerabilities might be resulting in a deduplication of vulnerability processing jobs, but this does not appear to be the case. Refer to #348467 (comment 1023006947) for further detail.

We should additionally attempt to investigate if this issue might be affecting other forms of integrations, such as with Mattermost or if it is isolated to slack alone.

Testing Instructions

  1. Create a new project
  2. Navigate to Settings -> Integrations -> Slack Notifications, enable the Vulnerability checkbox, and place your testing Slack Webhook in the Webhook field. (This may require you to configure a testing slack workspace. Alternatively I(@ghavenga) can invite you to one the I've been using for conveniences sake.)
  3. Push a repository with known vulnerabilities and a .gitlab-ci.yml configuration that will scan for them to this project. I recommend https://gitlab.com/gitlab-examples/security/security-reports for a healthy array of vulnerabilities, but for testing related to the source of this issue, you could alternatively use https://gitlab.com/ghavenga/slack-notification-test which attempts to replicate the reported issues code and configuration.
  4. Wait for the CI to run and for your notifications to arrive in the testing slack workspace.

Expected Outcome

As noted in my testing here, 1332 vulnerabilities were detected in my configuration of the crAPI repo and .gitlab-ci.yml scanners, but only 337 slack notifications were received. Assuming there is not some significant overlap in the findings that would result in a substantial deduplication, one would likely expect 1332 slack notifications for vulnerabilities.

The intention with this spike is to gather sufficient information to understand the root cause of the missing slack notifications or an implementation plan to make it easier to debug the integrations(maybe with more logging etc.).

Timebox

As the prospective cause for this issue is unknown, some degree of investigation and repeated testing and digging will be necessary to determine the reason and scope of the issue. [Timebox pending refinement]

Edited by Gregory Havenga