Filter Project Vulnerability Report by vendor name
Release notes
GitLab strives to play well with others and security is no exception. We provide many security scanners as part of our Secure offering. We also encourage 3rd party vendors to integrate their scanning tools using our open API and data interchange formats. A benefit of using GitLab is managing vulnerabilities from multiple scanners in a unified experience. While you were already able to filter by scanner type (SAST, DAST), it wasn't possible to drill down by tool provider.
You now have even more granularity when managing vulnerabilities with the new ability to filter by scanner and vendor. This will make it even easier to narrow focus to one set of scan results. You can also look at all results across a single vendor's scanners. The new filtering capability is available now in Project Vulnerability Reports.
Documentation: https://docs.gitlab.com/ee/user/application_security/security_dashboard/#vulnerability-report
Additional Information
There tends to be some confusion when talking about the particular terms related to scanning tools and technologies. This is compounded by differences in terms used internally (as in both at GitLab and in the code) and external (as in the GitLab product UI and the wider security industry). To help clarify the ask, here are how terms used in this issue should be taken:
- Scanner - How we refer generically to a particular scanning technology, e.g.
SAST
orDependency Scanning
in the UI (these are the values that currently appear in the Vulnerability Report'sScanner
filter and column). Technically, these are report types. - Report Type - The Common Security Report schemas, one for each type of scanning technology (SAST, DAST, Dependency)
- Vendor - The name of the company or organization responsible for providing a particular scanner tool. This will either be GitLab for the Secure scanners we provide or the name of a 3rd party vendor for integrated scanners. All 3rd party tools will correspond to a Report Type.
- Analyzer - The specific tool name provided as a scanner. For example, Brakeman is an analyzer that provides SAST scanning. Right now, we do not expose the analyzer name in the UI, preferring to use the generic scanner name only (
SAST
in this example).
Proposal
This piece was split from #210327 (closed)
Update the Scanner
filter on the vulnerability list to:
- group all Secure scanners under a
GitLab
vendor heading - dynamically add headings for any other vendor that has been configured on the project and
- add beneath each header filters for each scanner provided for each respective vendor
- 3rd-party scanners should match GitLab scanner names (SAST, DAST, etc.) for consistency
- selecting a 3rd-party scanner filters for only vulnerabilities found by that specific scanner. In other words, if I have selected the filter for a 3rd-party SAST scanner but not selected GitLab's SAST scanner, I would only see results detected by the 3rd-party. Adding GitLab's SAST to the filter selection would then display both sets of results.
The equivalent changes are being made to the pipeline security tab in this separate issue #233054 (closed)
Documentation
The Project-level Vulnerability Report screenshots will need to be updated: https://docs.gitlab.com/ee/user/application_security/security_dashboard/#vulnerability-report
Implementation Plan
-
frontend on the vulnerability list (shared between the project, group, and instance-level Vulnerability Reports), update scanner filter - Show scanner vendor alongside name
- Dynamically add custom scanner filters that have been configured with the project and that filter for custom scanner vulnerabilities only