Add scanner, report_type to SAST, CS, DS reports

Problem to solve

SAST, Container Scanning, and Dependency Scanning analyzers don't the new JSON fields introduced in gitlab-org/security-products/security-report-schemas!13 (merged): they don't report the scan type and scanner information.

Intended users

Proposal

Add scan.scanner and scan.type to the JSON security reports generated by SAST, Container Scanning, and Dependency Scanning analyzers.

Depending on how the analyzer project is implemented, the change has to be implemented in the command package of the common library or in the analyzer project itself. Currently the following analyzer projects don't use the command package: nodejs-scan, secrets, gemnasium, and klar.

Implementation plan

Add new Scan Go struct to encode scan.scanner and scan.type; this is to be added to the report struct in the common/issue package.
- gitlab-org/security-products/analyzers/common!105 (merged)
Add scanner information and report type to the Config exposed by common/command package, and update the run command to leverage this struct when generating the report.
- gitlab-org/security-products/analyzers/common!107 (merged)
Upgrade the common dependency in analyzer projects depending on common/command, and release versions.
- SAST
- Dependency Scanning
Upgrade projects that don't depend on common/command

Further details

Permissions and Security

N/A

Documentation

scan.scanner and scan.type are already documented in the JSON schemas.

Availability & Testing

To be tested as part of QA, when comparing generated reports with expected ones.

What does success look like, and how can we measure that?

All aforementioned analyzers generate these extra fields in their reports.

What is the type of buyer?

GitLab Ultimate

Is this a cross-stage feature?

Yes, and this issue covers all analyzer projects except DAST.

Links / references

Edited Oct 15, 2020 by Adam Cohen

Assignee Loading

Time tracking Loading