Security report provide Scanner version, not Analyzer version
Problem to solve
The current schema contains a scanner
object which has a version
property. It looks like this is supposed to be the version of the underlying scanner, like any other properties of that object.
Intended users
User experience goal
Proposal
-
confirm that scanner.version
is supposed to contain the version of the Scanner, not the Analyzer's version=> YES
-
come up with a proposal to add analyzer version in the report to help to debug. => To be discussed in #235393 (closed)
-
think about edge cases like Container Scanning analyzer, klar, which actually depends on 2 external tools (klar and clair) (might be a follow-up) => use the most significant scanner for now. Discuss the possibility to extend the format in #235390
Further details
Permissions and Security
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Edited by Olivier Gonzalez