Extend the Secure Report Format to allow multiple scanners generating a single scan

Problem to solve

Some Analyzers are relying on multiple Scanners whereas the current report format only allows for one. This means we currently arbitrarily select on software over the others to be mentionned in the report.

One can argue that in such cases there is often a "primary engine" and then a "plugin" or "database" which is more secondary. Though, when it comes to sharing metatada about these software components (e.g. the version used), the relevance of the choice might be disputed: sometimes the version of the DB like Clair might be more meaningfull than the version of the engine using it (klar).

Note that this is unrelated to the ability to split results into separate JSON reports within the same CI job. In the above mentionned use cases, there is no way to get a result without involving all the components.

Here are the analyzers we have today that already depends on multiple softwares to achieve a single scan, thus a single report file:

Intended users

User experience goal

Proposal

We need to ask ourselves if there is real value to support multiple scanners and how we want to report that information to the end-user as this will impact the displays of Finding and Vulnerability throughout the application.

  • List the known cases where there is a need for more than one Scanner object
  • Investigate what would be the impact of adding an array of scanner objects instead of just one, for the whole architecture
  • Propose an update of the JSON schemas

Further details

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

Edited by Olivier Gonzalez