Plan and Refine: Add scan.messages to SAST, CS, DS reports
Problem to solve
SAST, Container Scanning, and Dependency Scanning analyzers don't leverage the new .scan.messages
JSON field introduced in gitlab-org/security-products/security-report-schemas!13 (merged).
Intended users
Proposal
Add scan.messages
to the JSON security reports generated by SAST, Container Scanning, and Dependency Scanning analyzers.
Depending on how the analyzer project is implemented, the change has to be implemented in the command package of the common library or in the analyzer project itself. Currently the following analyzer projects don't use the command package: nodejs-scan, secrets, gemnasium, and klar.
Implementation plan
- Define what needs to be logged in the report
- Support 1 project that do NOT use
command.Run
(klar)- Update the
common
library. Add a new logger analyzer projects might use to add log messages to the report, and make this logger persist log messages in memory. Add struct types and helper functions analyzer projects can use to dump the collected log messages to the report - Update klar (Container Scanning)
- Update the
- Support 1 project that use
command.Run
(bundler-audit)- Make
command.Run
add log messages to the report - Update bundler-audit (Dependency Scanning)
- Make
- Support all other projects
- Update secrets (SAST)
- Update nodejs-scan (SAST)
- Update gemnasium (Dependency Scanning)
Further details
Permissions and Security
N/A
Documentation
messages
are already documented in the JSON schemas.
Availability & Testing
To be tested as part of QA, when comparing generated reports with expected ones.
What does success look like, and how can we measure that?
All aforementioned analyzers generate these extra fields in their reports.
What is the type of buyer?
Is this a cross-stage feature?
Yes, and this issue covers all analyzer projects except DAST.