Provide more details when creating an issue for a container scanning finding
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Problem to solve
When clicking the button Create Issue from a container scanning finding, the created issue only contains very little information about the finding. Most of the details that are available in the raw report are not displayed.
In particular, the issue does not contain the name of the image in which the finding was made. In consequence, it is difficult/impossible to fix the issue just with the information provided in the issue. The lack of a finding's location is especially a problem if multiple images are scanned in a pipeline #6946 (closed), as it is unclear for which image the finding was made.
Example issue: https://gitlab.com/gitlab-com/gl-security/appsec/container-scanners/-/issues/4
Intended users
Proposal
Add the following fields to the issue view template
- Scanner
- id
- name
- url
- version
- location
- image
- operating system
- architecture or architectures
Implementation Plan
-
Update Issues::CreateFromVulnerabilityDataServiceto include Docker image name -
Include new details in issue description template -
Update MergeRequests::CreateFromVulnerabilityDataServiceto include Docker image name -
Include new details in merge request description template -
Update unit tests for above changes
cc @NicoleSchwartz @gonzoyumo for scheduling