Add additional information about the scanner for users and support to use
Problem to solve
For the purposes of troubleshooting as well as clarity, we should be able to show the details around what scanner produced a finding.
A user may wonder what version they are using (are they on latest? how far behind?)
A support person may wonder if it is a partner scanner or a GitLab scanner.
Intended users
Any user viewing scan output
GitLab support
Further details
When looking at a scan in the artifact itself, Merge Request Secure area, Security Dashboard, etc. I should be able to determine the origin of the scan.
For example - is the scan SAST from GitLab using Gosec vX.X? or is it SAST from third-party?
Today we know the category
(SAST), scanner name
(Gemnasium) - but do we know version? And can we put something like a scanner company? or provided by? or maintained by? or integrated by? field then expose them?
Proposal/Design
Base on the quick user research. we see that most users(around 80%) think those data is somehow useful
- Type: SAST
- Scanner: Synopsys (Version 12.1)
There are some other suggestions such as link from scanner to configuration or want it on the list page. Will be considered in future issues
From the result of quick user research:
We understand that information is useful and no more info about the scanner was mentioned. The decision is to put it in the modal window (See picture below). Follow up will be done in future: put this in the list view or not; having a filter for scanner/type of scan
For the JSON file, how to group/name it is up to the devs.
Other questions
do we want to permit hyperlinks?
Yes, we do. We want to make the "Name(version)" link style text: blue text
should we enforce a maximum display size and then "..." it? no need, if we hide the link behind the text
Can we bubble up which of our scanners did the scan? and version? Yes, included in the desgin
Permissions and Security
anyone who can see the artefact or vuln information can see this additional attribute.
Documentation
update dev docs and user docs as needed
Testing
can we add to an existing test to make sure none is supported, a gitlab format is supported, and a third party long one is shown and handled properly (truncated etc)
What does success look like, and how can we measure that?
a user can determine the source of a scan