Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Secure Stage / 13 Oct 2021
GitLab / Secure Stage / 13 Oct 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Secure:Threat Insights - Weekly Group Discussion 2021-10-13

Description

Agenda: https://docs.google.com/document/d/1OoBhaX2sRcLAndm7B2ENUTi5f6OGaQfAcBN1Rv1Bukw

A

Good day, everyone this is the security threat, insights, weekly group discussion on october, the 12th or 13th. If you're in australia on that side of the meridian and and jonathan, was uh talking about a long-standing issue. We skipped uh planning breakdown, a um that's about disabling the surveyor on kano and we skipped into vulnerabilities graph graph key. Well, not graphical query does not return vulnerabilities, so jonathan, take it away. Where were we.

B

All right, um so we have so there's this issue. That is in the notes here um I had started because the vulnerabilities query only pulled uh vulnerabilities from the instant security dashboard which, if you like, makes a valid point saying if you actually read the documentation, that's what it says it does, um but it's just kind of strange that a global vulnerabilities call only pulls from a certain group, um and so we down lower we're talking about adding the capability.

B

In the instance, security dashboard call to pull the vulnerabilities for that for the instance security dashboard. We already have group, we already have project, um so we were talking about moving the vulnerabilities to the dashboard call and deprecating the actual vulnerabilities call- and that's actually suggested by savas in a uh similar issue um where he was suggesting group project instance and pipeline um vulnerabilities being the same call. But we can't really it's the pipeline. One is different because that's security findings and they get pulled a little bit differently than the vulnerabilities themselves.

B

This this one here yeah. So I don't think we ever quite decided on that one um but yeah. So you have uh grouped up vulnerabilities project vulnerabilities and then just like the top level vulnerabilities.

B

um So so what we really would like to go forward with, I you know between me and mehmet- is deprecate vulnerabilities um and uh just go with the instant security dashboard uh and add that to the instant security dashboard call. um I was hoping to have some front end guys here, um but.

A

I was gonna ask and in order to do that, you need some feedback from front.

B

End I'd like we'd like it, um uh if that, if that's gonna, suffice for that second issue, um I'm actually probably going to close this issue and just.

C

The second.

A

One.

B

In favor of the second one, I think it it, you know it.

A

It's better explained, isn't it.

B

It's better explained, um the discussion is kind of my like morphed into what the second issue would be more likely um just aligning all of our graphql vulnerabilities calls. um So maybe.

A

Shibashi's, will you about say something.

C

So it is so. We are now concerned about like whether this um these link a call is used in anywhere in the front end or not. That's why.

B

Well, right now, well, right now it's it's! The vulnerabilities is being used by the front end and for the instant security dashboard.

B

Just kind of looking at the second here I think we wanted the group, so we have group project group and instance, security, dashboard um and getting rid of the top-level vulnerabilities to kind of clear out any kind of uh misunderstanding uh confusion about what it should be pulling or what it should not be pulling.

A

May I inquire is the proposal in savash's issue aligned with what you and mamet were thinking all right.

B

It's a little bit different. um What savash is recommending is using that top level vulnerabilities call there to have a security center flag, which is actually something I had suggested in the other one um uh but being able to put project id in group id, and it would remove the constraint of the vulnerability, the top level vulnerabilities call being only, for instance, security center.

B

So I I don't think it's too different than the my initial suggestion on that first issue.

B

That's cool.

C

Sorry, sorry to interrupt you for the uh the servers. What I, what what I can understand is like it's console, consolidating all the queries into one right, like the only keeping the vulnerabilities one for project group instance. Everything.

B

Yeah.

D

Downside of that.

B

Yeah is, I feel, like you know, keeping the the top level projects and getting the vulnerabilities for the project.

B

It's it. I guess to me it is kind of weird to have a top top-level vulnerabilities call, because a vulnerability has to belong to something um you know it's. These vulnerabilities belong to this group. These vulnerabilities belong to this project. These vulnerabilities belong to this instant security center. um You don't only just like pull.

B

You know like information on a set of vulnerabilities.

A

Are you concerned with with the potential volume of records that could be in scope for that query?.

B

That is part of it um that we do need to limit. How many? How many I mean it's the same thing for the group vulnerabilities and these instant security, where you just pull a ton of vulnerabilities at one time and it can kind of overload the the database query. The same reason why we get some of these 500s.

A

Because if you're an admin- and you hit that endpoint at the instance, level, you're basically going to receive all the vulnerabilities in.

B

Every project yeah, so so one of the restrictions on this calls it would have to have one of the flags either group project- or you know- is security center. It would have to have one of them, otherwise, it'd be an invalid call, because otherwise you're pulling all the vulnerabilities you can see in every project which no one should be doing. That.

A

I don't know, do you have.

B

One call.

A

In one call well, do we still have the pagination issues with graphql.

B

I mean that's, that's pulling a bunch of vulnerabilities at one time um and that would be trying to and trying to sort at all through like the severity.

A

I want to see this being used in the front end. I would see this being used as a sort of integration thing like somebody wants to clone all that to a different system. They want to extract it from gitlab.

A

There would be a a way to enable that, but I don't think we have to worry too much, because you always have have the option of listing all the groups and then making individual calls for each group. Yeah.

B

Fair enough yeah, so just just you know, hammering out the the final path forward on this thing was the main point in trying to bring this up getting the front end, what they wanted out of it as well, because they want they want a single call. That's that's that's what they when they want to be able to have a single call to limit how many different places they're trying to call this thing.

A

Yeah, there's a there's, a there's, a bit of complexity. If I understand it, there's a big complexion on the front end due to that they gotta, you know um basically stitch together, different query fragments in order to use these different things and they see an opportunity to just this could be the same yeah, uh but it needs to work on the back end. I think I think the ball is in our court on this one yeah. Sadly, uh it's not very high in in our priorities right. We currently working on the stability issues.

A

All of you have uh enough on their plates.

A

If, if the next steps are to put a proposal, basically put a proposal and refine, then I think I think we're we're. Okay, okay,.

B

Am I oversimplifying this? No, I don't think so. um I think it we just it is we just have to make a decision. It's like this is the proposal. This is how we should go and um I'm willing to go ahead and do that, go ahead and put a proposal out there on this issue. Saying hey: let's, let's do this proposal, I'm not.

A

Opposed to that yeah, if you understand why you wait for a build or for gdk to do its thing, yeah no.

B

Right now, a signal like man running running tests with sentinel like I ran a test and my my computer was going to take off.

A

Wow I uh I had to buy one of these.

A

It's a stand. It's actually quite warm now like without one of these macbooks are just useless. They.

D

They, the.

A

Yeah, the thermal, the thermal cpu, I forget what it's called, but it just limits it still cycles from the cpu, so it cools down.

B

No, what you got there now is, uh you know you can run some tests and then you can cook some eggs. You know look like. I got a little like griddle.

D

Jonathan is on fire today.

D

uh After after his postgres sequel, first press goal: yes.

B

That was the other thing that we decided is that we're going to start calling postgres uh post-grad school yeah, that was uh that was thiago's. um We.

A

Have an issue we have an issue for that, the proposal uh I'll stop recording. I think I think uh we we reached the end of the we have reached.

A

So let me.

D

Stop this.