Add SEVERITY_THRESHOLD variable to dependency scanning
Proposal
Add to Dependency scanning a CI/CD variable similar to the variable CS_SEVERITY_THRESHOLD
available for the container scanning.
The Dependency scanning variable will allow to set the Severity level threshold so the scanner outputs will be vulnerabilities with severity level (Unknown, Low, Medium, High, and Critical) higher than or equal to the threshold set.
Customer impact
Customer is looking to only report critical/high at first, then when those critical/high vulnerabilities are resolved, change the Severity level threshold in the scanner to report more vulnerabilities (Low and Medium). The purpose is to reduce noise in order for the users to have clarity on what needs to be fixed.
Current workaround
Currently to see only certain severities of the vulnerabilities created by the Dependency Scanning feature, we can use the filtering option. In a group, select in the left sidebar, Security & Compliance > Vulnerability report, then filter the list of vulnerabilities using the filters:
Tool: Dependency Scanning
and Severity: High
See all available filters here in the documentation.
Implementation Plan
-
Add a new variable to the cli - DS_SEVERITY_THRESHOLD
-
Update the FileConverter.Vulnerabilities function so that it filters out vulnerabilities below the threshold. -
Add debug logging statements that can help view this from a user's perspective.
-
-
Add unit tests for the file converter changes -
Add specs to the integration specs that demonstrate that this works for gemnasium, gemnasium-python, and gemnasium-maven. -
Document the usage of the variable in the Configuring dependency scanning docs.