Blog AI/ML Developing GitLab Duo: Use AI to remediate security vulnerabilities
Published on: July 15, 2024
9 min read

Developing GitLab Duo: Use AI to remediate security vulnerabilities

This tutorial shows how GitLab Duo Vulnerability Explanation and GitLab Duo Vulnerability Resolution, along with our other AI-powered features, can help to address vulnerabilities quickly.

gitlab duo - new cover

You’ve just started into a new job, and on your first day, a large-scale production incident requires all hands on deck. There are a number of critical new vulnerabilities that require immediate attention, analysis, mitigation and remediation. Where do you start your investigation?

Learn how GitLab Duo Vulnerability Explanation and GitLab Duo Vulnerability Resolution, along with our other AI-powered features, can help you begin addressing vulnerabilities in minutes. You will learn how to benefit from AI-powered assistance to analyze and explain vulnerabilities in a practical example. Additional remediation is highlighted with AI-generated code fixes in MRs to aid faster vulnerability resolution.

Start a free trial of GitLab Duo to bring these powerful vulnerability remediation benefits to your own organization!

How to get started: Analyze

The first step is to analyze the impact and severity of the vulnerability. Open the GitLab UI and navigate into the vulnerability report in the Secure > Vulnerability Report menu. Filter the vulnerability list by SAST, and identify the most critical vulnerabilities to work on.

Vulnerability reports overview

The SAST scanner results are summarized in the detail view, linking to the source code. They provide details from publicly available security advisories. As a developer, it is often hard to start the analysis from the security report, unless you are fully aware of the attack scope, technical details, and vulnerable environments.

Understand and mitigate with Vulnerability Explanation

Understanding the vulnerability and how to fix it in the best and most efficient way is crucial. Fixes must not break existing functionality. If they do, a discussion with maintainers and product owners will be necessary, and, as such, will require a high-level summary and potential mitigation alternatives. Code that someone who left the company wrote or code that has no tests can make the planning for a fix even more difficult.

AI-powered Vulnerability Explanation helps with a summary of how an attacker can exploit the vulnerability, and provides more explanations about the impact and potential fixes.

The following example shows an OS Command Injection vulnerability, using this code snippet:

<?php 

// Read variable name from GET request
$name = $_GET['name'];

// Use the variable name to call eval and print its value 
eval('echo $' . $name . ';');

The vulnerability report does not go into much detail, and requires understanding of the full context and impact. Select Explain vulnerability from the upper right corner, which will open GitLab Duo Chat with a pre-defined prompt action. This will give an additional summary of the vulnerability, describe how the vulnerability can be exploited, and provide a suggested fix.

Improper Neutralization ofSpecial Elements used in an OS Command('OS Command Injection')

Make Vulnerability Explanation a conversation with context

You’ll also recognize a change in UX: The previous vulnerability explanation overlay was replaced with a GitLab Duo Chat workflow. Sometimes, a complex vulnerability unfolds into multiple mitigation steps, or unclear source code paths.

You can navigate into the source code tree, and continue with the same Chat context to explain, fix, refactor, and test the code.

Let’s try the full workflow with an example in C, where security scanning detected a buffer overflow.

  1. Open the security vulnerability detail view, and select "Explain vulnerability" on the button in the upper right. This will open up the Chat prompt, providing a summary of the problem, potential attack vectors, and a proposed fix.

AI for vulnerabilities - image 4

  1. Review the proposed fix, and ask Chat in a follow-up prompt to share alternative paths, using Can you show an alternative fix using a different function. The idea is to learn about alternative functions to strcpy() that can be more safe to use.

AI for vulnerabilities - image 3

  1. Chat comes up with an alternative fix using strlcpy() in the following example. The function only copies as many characters as allowed in the target string, and always terminates the string with null. It also returns the length of the source string to determine whether the string was truncated.

AI for vulnerabilities - image 5

  1. Next, click on the Location file URL to jump into the source code view. Open Chat again, and verify that the previous vulnerability explanation context is still there. As a next step, we want to add tests before continuing with a proposed fix. This helps to avoid breaking functionality or introduce regressions. For example, use this Chat prompt: Based on the vulnerability context and opened source code, how would you add tests for it?.

AI for vulnerabilities - image 7

  1. After generating tests (and assuming they were added now), you can also ask Chat to refactor the source code, using the prompt Can you refactor the source code too? in the same session.

AI for vulnerabilities - image 6

The workflow shows how to analyze, understand, mitigate, get alternative approaches, add tests, and even refactor fixes for vulnerabilities.

You can continue this path using Chat, and then switch into the Web IDE to modify the source code after learning how to do it. Additional continued workflows include committing changes and triggering CI/CD and security scans for the full DevSecOps lifecycle loop.

Remediate with AI-assisted Vulnerability Resolution

Understanding and mitigating a security vulnerability still requires engineering work to create a fix for the problem, run pipelines and security scanning in a new merge request again. It can also be necessary to deploy the fixes into a staging environment and test them for a longer period of time.

AI can help here with generating a proposed fix based on the provided context of the vulnerability and source code.

Tip: Think of the most annoying vulnerability you had to fix in your career, and re-create the use case example for your GitLab Duo adoption. The MITRE CWE Top 25 of the most dangerous software weaknesses also provides a good starting point.

The following example implements CWE-328: Use of a weak hash function by using md5. It is correctly identified by SAST scanning.

import hashlib

class User:
    def __init__(self, username, password):
        self.username = username
        self.password = password

    def set_password(self, password):
        self.password = hashlib.md5(password.encode()).hexdigest()

AI for vulnerabilities - image 8

Click on the button in the upper right Resolve with merge request. This will open an MR that uses AI to propose the fix. For this vulnerability, one possible fix could be using a different hash function.

AI for vulnerabilities - image 9

Another common vulnerability example is not checking function error codes or potential exceptions. The following C code snippets implement an example for timing attacks against file operations with CWE-362 for the fopen() and chmod() calls.

#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>

int main(int argc, char **argv) {

    // File operations
    char *fname = "gitlab.keksi";

    FILE *fp;
    fp = fopen(fname, "r");
    fprintf(fp, "Hello from GitLab Duo Vulnerability Resolution Challenge");
    fclose(fp);

    // Potential chmod() timing attacks    

    // Make the file world readable
    chmod(fname, S_IRWXU|S_IRWXG|S_IRWXO);

    return 0;
}

The SAST report for chmod() can look like the following:

AI for vulnerabilities - image 10

The proposed chmod() merge request includes error handling, and fixes another potential issue with world writable files, changing the permissions from 777 to 600.

AI for vulnerabilities - image 11

Try this async exercise: Find, analyze, and fix the vulnerability for the fopen() function.

More AI assistance required from GitLab Duo

Often, a security problem can be resolved with a quick fix or a workaround that grants the development teams time to discuss and plan a more long-term solution. In other cases, the problem becomes more complex and requires feature APIs disabled, or firewall mitigation, until a proper fix can be rolled into production.

GitLab Duo offers additional AI-powered features that can help resolve these issues.

Code Explanation: As a developer or security engineer, it's crucial to feel confident in the changes you've made. Within the IDE, you can use the Code Explanation feature to gain a deeper understanding of the AI-suggested fix for the vulnerability. This ensures you know exactly what adjustments have been made and why.

Root Cause Analysis: If the fix breaks your pipeline, you can utilize the Root Cause Analysis feature. This tool helps identify and explain the underlying problem, allowing you to address it effectively. After applying the necessary corrections, you can rerun the tests to ensure a successful resolution.

Refactor: Even if the vulnerability has been fixed, it's worth considering if the code can be written in a safer manner. In the IDE, you can open GitLab Duo Chat and use the refactor action to explore alternative, more secure ways to write your code. This proactive approach helps maintain a robust and secure codebase.

By leveraging these GitLab Duo features, you can confidently navigate and resolve vulnerabilities, ensuring your code remains secure and efficient.

What’s next?

We plan to bring both Vulnerability Explanation and Vulnerability Resolution "left" by incorporating them directly into the MR process. This integration ensures that you can address and resolve vulnerabilities earlier in the development cycle, streamlining your workflow and enhancing code security from the outset.

Get started with GitLab Duo

Please see our documentation on how to enable the feature available to our GitLab Ultimate customers. Also, GitLab Duo Vulnerability Explanation and Vulnerability Resolution will soon be coming to GitLab self-managed and GitLab Dedicated.

You can keep up with what's new in GitLab Duo by following the "Developing GitLab Duo" blog series.

Start a free trial of GitLab Duo to bring these powerful vulnerability remediation benefits to your own organization!

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert