Skip to content

Vulnerabilities must have "Report type" attribute

Problem to solve

Currently, the Vulnerabilities are being created unbound to any report type. But because they are promoted from Finding that do have report type context (since they are reported by a particular SAST, DAST, etc. scanner), they should also have this notion of the report type they belong to.

Intended users

Proposal

  • Introduce the report_type attribute for the Vulnerabilities which will have its values set the same as Finding have.
  • Copy the finding.report_type value into vulnerability.report_type upon creation of a Vulnerability from Finding

Permissions and Security

No permissions are changed or introduced.

Documentation

Update the Vulnerabilities API docs pages:

  • Create a Vulnerability from Finding API call page
  • Example responses on all of the Vulnerabilities API pages

Testing

Having API call integration tests (Rails request specs) would be enough to test this.

What does success look like, and how can we measure that?

Every Vulnerability created has a report type assigned to it.

What is the type of buyer?

GitLab Ultimate

Links / references

Initially, it was included in scope of First-class Vulnerabilities MVC backstage implementation

Edited by Victor Zagorodny