Add status, start_time, end_time to SAST, CS, DS reports
Problem to solve
SAST, Container Scanning, and Dependency Scanning analyzers don't the n ew JSON fields introduced in gitlab-org/security-products/security-report-schemas!13 (merged): they don't report their status and execution time.
Intended users
Proposal
Add scan.status
, scan.start_time
, scan.end_time
to the JSON security reports generated by SAST, Container Scanning, and Dependency Scanning analyzers.
Depending on how the analyzer project is implemented, the change has to be implemented in the command package of the common library or in the analyzer project itself. Currently the following analyzer projects don't use the command package: nodejs-scan, secrets, gemnasium, and klar.
Implementation plan
-
Add status
,start_time
,end_time
as field of theScan
struct of the common/issue package, to be introduced in #202053 (closed). -
Update the run
command so that it keeps track of start time and end time, and add these information to the generated report. -
Upgrade the common
dependency in analyzer projects depending oncommon/command
, and release versions.-
SAST -
Dependency Scanning -
bundler-audit -
retire.js -
gemnasium-python -
analyzer -
tests
-
-
gemnasium-maven -
analyzer -
tests -
gitlab-org/security-products/tests/java-maven-multimodules!66 (merged) -
gitlab-org/security-products/tests/scala-sbt!31 (merged) -
gitlab-org/security-products/tests/scala-sbt!32 (merged) -
gitlab-org/security-products/tests/scala-sbt!33 (merged) -
gitlab-org/security-products/tests/java-gradle-multimodules!16 (merged) -
gitlab-org/security-products/tests/java-gradle-kotlin-dsl!5 (merged) -
gitlab-org/security-products/tests/java-maven!101 (merged) -
gitlab-org/security-products/tests/java-maven!102 (merged) -
gitlab-org/security-products/tests/java-maven!103 (merged) -
gitlab-org/security-products/tests/java-maven!104 (merged) -
gitlab-org/security-products/tests/java-maven!105 (merged) -
gitlab-org/security-products/tests/java-gradle!45 (merged) -
gitlab-org/security-products/tests/java-gradle!46 (merged) -
gitlab-org/security-products/tests/java-gradle!47 (merged) -
gitlab-org/security-products/tests/java-gradle!49 (merged) -
gitlab-org/security-products/tests/java-gradle!48 (merged)
-
-
-
-
-
Upgrade projects that don't depend on common/command
, addstatus
,start_time
, andend_time
.-
SAST -
Dependency Scanning -
gemnasium -
analyzer -
tests -
gitlab-org/security-products/tests/c-conan!7 (merged) -
gitlab-org/security-products/tests/js-yarn!68 (merged) -
gitlab-org/security-products/tests/js-npm!13554 (merged) -
gitlab-org/security-products/tests/csharp-nuget-dotnetcore!23 (merged) -
gitlab-org/security-products/tests/php-composer!47 (merged) -
gitlab-org/security-products/tests/go-modules!52 (merged) -
gitlab-org/security-products/tests/ruby-bundler!1242 (merged)
-
-
-
-
Container Scanning
-
Further details
Permissions and Security
N/A
Documentation
scan.status
, scan.start_time
, and scan.end_time
are already documented in the JSON schemas.
Availability & Testing
To be tested as part of QA, when comparing generated reports with expected ones.
What does success look like, and how can we measure that?
All aforementioned analyzers generate these extra fields in their reports.
What is the type of buyer?
Is this a cross-stage feature?
Yes, and this issue covers all analyzer projects except DAST.