Export comments in vulnerability report CSV
Release notes
Problem to solve
Our current CSV exports of vulnerability reports do not include any comment history. This makes is more challenging to know why a given vulnerability was closed or follow its activity history. Having the comments available helps with review and audit purposes—especially for security teams that might not be working in GitLab yet. Having the comments is also very important in the US Federal government space as they often require the reason why a vulnerability was Resolved or Dismissed.
Proposal
Add to the CSV export a new Comments
column. Vulnerabilities can have multiple comments, each associated with a different status change. We want to capture the full comment history as a vulnerability may have moved back and forth between statuses.
It will be somewhat awkward to serialize multiple comments into a single field in a row. To help keep the comments distinguishable, each should include:
- Comment author
- Comment timestamp
- Status associated with comment
- Comment
This might take a form similar to: "2022-09-28 01:02:03UTC::Author Name::Dismissed::Here is the Comment". Each comment information set will need a delimiter (not necessarily ::
) to separate these pieces of data. Multiple comments will also need another delimiter that is separate from the field delimiter and this new data delimiter. Comments might contain the field or new data delimiter or new comment delimiter so they should be sanitized, wrapped in double quotes, or any conflicting characters escaped to prevent accident delimiter confusion.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Implementation plan
-
Add a new mapping (for example 'Comments' => 'notes_summary'
) into the existing structure. -
Add a new method to return either the user that has edited notes or the author in case the note hasn't been edited as part of note.rb. -
In Vulnerability EE model: -
Add a new scope to also include :notes
which will be further used by the export service. -
Add a new method (e.g., notes_summary
) which will traversediscussions
and each underlyingnote
. status will be based on the firstnote
of eachdiscussion
. It can be parsed out of the firstnote
with something like/\A[\w+\s]+to\s(?<status>\w+)/
. -
Make sure the character being used as a delimiter is escaped/subbed from the content of note.note
.
-
-
Update the scope of vulnerabilities
under export_service to use the scope newly created (suggested as part of the previous steps).
Example of output root-oct-7-2022_vulnerabilities_2022-10-26T1615.csv