Extend Vulnerability model to support new Report Type: Cluster Image Scanning
Why are we doing this work
We want to allow customers to collect vulnerabilities from images in running Kubernetes clusters so they can understand their current security risk not only for images that are scanned as a part of CI Pipeline, but also for images that were deployed without using GitLab CI.
You can find more about our motivation to work on this issue here.
This issue is about extending Vulnerability model to support new Report Type (cluster_image_scanning
), so we can differentiate vulnerabilities found in Container Scanning from those found in Cluster Image Scanning. In scope of this issue we should also extend logic responsible for parsing security reports in GitLab to be able to store vulnerabilities with cluster_image_scanning
report type in database and present them on the Dashboard.
Relevant links
Non-functional requirements
-
Documentation: in scope of #330711 (closed) issue - [-] Feature flag: no feature flag is needed as this is something that users will optionally select by including the GitLab CI template
- [-] Performance:
-
Testing: - Add standard Unit Tests and extend factories to support new report type
- Test if you can parse report from
cluster_image_scanning
analyzer, - Test if vulnerabilities from security report from
cluster_image_scanning
analyzer are visible in database
Implementation plan
-
backend Extend self.allowed_job_types
inapp/finders/security/security_jobs_finder.rb
with new type:cluster_image_scanning
-
backend Extend DEFAULT_FILE_NAMES
const with new type:cluster_image_scanning: 'gl-cluster-image-scanning-report.json'
,REPORT_TYPES
const with new type:cluster_image_scanning: :raw
,DOWNLOADABLE_TYPES
const withcluster_image_scanning
andfile_type
enum withcluster_image_scanning: 27
inapp/models/ci/job_artifact.rb
, -
documentation Add information about ci_max_artifact_size_cluster_image_scanning
indoc/administration/instance_limits.md
(similar tocontainer_scanning
), -
documentation Add information about artifacts:reports:cluster_image_scanning
todoc/ci/yaml/README.md
(similar tocontainer_scanning
), -
documentation Add information about new report type to doc/development/integrations/secure.md
(similar tocontainer_scanning
), -
backend Extend resolve_type
method inee/app/graphql/types/vulnerability_location_type.rb
with new typecluster_image_scanning
that will useVulnerabilityLocation::ContainerScanningType
, -
backend Extend REPORT_TYPE
const inee/app/models/concerns/ee/enums/vulnerability.rb
withcluster_image_scanning
, -
backend Extend LICENSED_PARSER_FEATURES
const inee/app/models/ee/ci/build.rb
withcluster_image_scanning: container_scanning
(we will reuse the licence forcluster_image_scanning
fromcontainer_scanning
as they are both in GitLab Ultimate) -
backend Extend SECURITY_REPORT_FILE_TYPES
const withcluster_image_scanning
, add new constcluster_image_SCANNING_REPORT_TYPES
(value:%w[cluster_image_scanning]
) and add new scope:cluster_image_scanning_reports
withcluster_image_SCANNING_REPORT_TYPES
inee/app/models/ee/ci/job_artifact.rb
-
backend Extend REPORT_LICENSED_FEATURES
const inee/app/models/ee/ci/pipeline.rb
withcluster_image_scanning: %i[container_scanning],
-
backend Extend scan_type
enum inee/app/models/security/scan.rb
withcluster_image_scanning
-
backend Extend parsers
method inee/lib/ee/gitlab/ci/parsers.rb
withcluster_image_scanning: ::Gitlab::Ci::Parsers::Security::ContainerScanning,
-
backend Extend standard_vulnerability?
method inee/lib/gitlab/vulnerabilities/parser.rb
withcluster_image_scanning
,