Add status, start_time, end_time to SAST, CS, DS reports

Problem to solve

SAST, Container Scanning, and Dependency Scanning analyzers don't the n ew JSON fields introduced in gitlab-org/security-products/security-report-schemas!13 (merged): they don't report their status and execution time.

Intended users

Proposal

Add scan.status, scan.start_time, scan.end_time to the JSON security reports generated by SAST, Container Scanning, and Dependency Scanning analyzers.

Depending on how the analyzer project is implemented, the change has to be implemented in the command package of the common library or in the analyzer project itself. Currently the following analyzer projects don't use the command package: nodejs-scan, secrets, gemnasium, and klar.

Implementation plan

• Add status, start_time, end_time as field of the Scan struct of the common/issue package, to be introduced in #202053 (closed).
• Update the run command so that it keeps track of start time and end time, and add these information to the generated report.
• Upgrade the common dependency in analyzer projects depending on common/command, and release versions.
  • SAST
    • security-code-scan
      • gitlab-org/security-products/analyzers/security-code-scan!46 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan/-/releases/v2.11.0
    • flawfinder
      • gitlab-org/security-products/analyzers/flawfinder!35 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder/-/releases/v2.10.0
    • brakeman
      • gitlab-org/security-products/analyzers/brakeman!39 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/brakeman/-/releases/v2.8.0
    • eslint
      • gitlab-org/security-products/analyzers/eslint!46 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/eslint/-/releases/v2.8.0
    • spotbugs
      • gitlab-org/security-products/analyzers/spotbugs!59 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs/-/releases/v2.11.0
    • gosec
      • gitlab-org/security-products/analyzers/gosec!62 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/gosec/-/releases/v2.12.0
    • bandit
      • gitlab-org/security-products/analyzers/bandit!46 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/bandit/-/releases/v2.9.0
    • phpcs-security-audit
      • gitlab-org/security-products/analyzers/phpcs-security-audit!37 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit/-/releases/v2.8.0
    • sobelow
      • gitlab-org/security-products/analyzers/sobelow!35 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/sobelow/-/releases/v2.7.0
    • pmd-apex
      • gitlab-org/security-products/analyzers/pmd-apex!37 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex/-/releases/v2.6.0
    • kubesec
      • gitlab-org/security-products/analyzers/kubesec!30 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/kubesec/-/releases/v2.7.0
  • Dependency Scanning
    • bundler-audit
      • analyzer
        • gitlab-org/security-products/analyzers/bundler-audit!50 (merged)
        • https://gitlab.com/gitlab-org/security-products/analyzers/bundler-audit/-/releases/v2.9.0
      • tests
        • gitlab-org/security-products/tests/ruby-bundler!1243 (merged)
        • gitlab-org/security-products/tests/ruby-bundler!1244 (merged)
    • retire.js
      • gitlab-org/security-products/analyzers/retire.js!44 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/retire.js/-/releases/v2.9.0
    • gemnasium-python
      • analyzer
        • gitlab-org/security-products/analyzers/gemnasium-python!63 (merged)
        • https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python/-/releases/v2.15.0
      • tests
        • gitlab-org/security-products/tests/python-pipenv!47 (merged)
        • gitlab-org/security-products/tests/python-pip!114 (merged)
        • gitlab-org/security-products/tests/python-pip!115 (merged)
    • gemnasium-maven
      • analyzer
        • gitlab-org/security-products/analyzers/gemnasium-maven!66 (merged)
        • https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/releases/v2.18.0
      • tests
        • gitlab-org/security-products/tests/java-maven-multimodules!66 (merged)
        • gitlab-org/security-products/tests/scala-sbt!31 (merged)
        • gitlab-org/security-products/tests/scala-sbt!32 (merged)
        • gitlab-org/security-products/tests/scala-sbt!33 (merged)
        • gitlab-org/security-products/tests/java-gradle-multimodules!16 (merged)
        • gitlab-org/security-products/tests/java-gradle-kotlin-dsl!5 (merged)
        • gitlab-org/security-products/tests/java-maven!101 (merged)
        • gitlab-org/security-products/tests/java-maven!102 (merged)
        • gitlab-org/security-products/tests/java-maven!103 (merged)
        • gitlab-org/security-products/tests/java-maven!104 (merged)
        • gitlab-org/security-products/tests/java-maven!105 (merged)
        • gitlab-org/security-products/tests/java-gradle!45 (merged)
        • gitlab-org/security-products/tests/java-gradle!46 (merged)
        • gitlab-org/security-products/tests/java-gradle!47 (merged)
        • gitlab-org/security-products/tests/java-gradle!49 (merged)
        • gitlab-org/security-products/tests/java-gradle!48 (merged)
• Upgrade projects that don't depend on common/command, add status, start_time, and end_time.
  • SAST
    • secrets
      • gitlab-org/security-products/analyzers/secrets!70 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/releases/v3.9.0
    • nodejs-scan
      • gitlab-org/security-products/analyzers/nodejs-scan!70 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan/-/releases/2.9.0
  • Dependency Scanning
    • gemnasium
      • analyzer
        • gitlab-org/security-products/analyzers/gemnasium!99 (merged)
        • https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/releases/v2.17.0
      • tests
        • gitlab-org/security-products/tests/c-conan!7 (merged)
        • gitlab-org/security-products/tests/js-yarn!68 (merged)
        • gitlab-org/security-products/tests/js-npm!13554 (merged)
        • gitlab-org/security-products/tests/csharp-nuget-dotnetcore!23 (merged)
        • gitlab-org/security-products/tests/php-composer!47 (merged)
        • gitlab-org/security-products/tests/go-modules!52 (merged)
        • gitlab-org/security-products/tests/ruby-bundler!1242 (merged)
  • Container Scanning
    • klar
      • gitlab-org/security-products/analyzers/klar!60 (merged)
      • https://gitlab.com/gitlab-org/security-products/analyzers/klar/-/releases/v2.6.0

Further details

Permissions and Security

N/A

Documentation

scan.status, scan.start_time, and scan.end_time are already documented in the JSON schemas.

Availability & Testing

To be tested as part of QA, when comparing generated reports with expected ones.

What does success look like, and how can we measure that?

All aforementioned analyzers generate these extra fields in their reports.

What is the type of buyer?

GitLab Ultimate

Is this a cross-stage feature?

Yes, and this issue covers all analyzer projects except DAST.

Links / references