Labels for items in the Vulnerability Report

This issue is a product of a number of chats we had across Application Security groupvulnerability research groupstatic analysis groupcomposition analysis and groupthreat insights.

Context

Currently, we have a number of discussion issues open covering various mechanisms that aim to improve the triaging process by providing more insights about the "criticality" of findings: https://gitlab.com/gitlab-com/gl-security/security-research/sec-research/-/issues/74, #197971, #10046 (closed). The proposals are different regarding the context (SAST, Container Scanning and Dependency Scanning).

With Auto-dismissals, we will have a very powerful approach to set automatic actions/policies for findings listed in the Vulnerability Report so that it provides a generic solution that works across the whole spectrum of findings irrespective of the analyzer that generated them.

Proposal

At the moment we cannot add meta-information to findings that are displayed in the Vulnerability Report. Meta-information could be very useful in order to help triaging finding in the report. One example of a mechanism to attach meta-information we are using every day is "issue labels". This proved to be very useful to categorize issues along several dimensions (which team(s) are involved, what is the effort, impact, feature work, bugfixes). It would be very fantastic if we could copy this concept to findings that are listed in the Vulnerability Report.

Having labels for findings in the Vulnerability Report could ...

1. generally improve the triaging process by enabling security auditors to add context to finding by means of labels; labels could be attached to findings in order to augment them with context information.
2. enable tools to provide contextual information by setting labels automatically. A static-analysis tool could detect dependencies that actually occur in a project (as suggested in #197971 and https://gitlab.com/gitlab-com/gl-security/security-research/sec-research/-/issues/74) and request the attachment of certain labels automatically which would then show up in the Vulnerability Report and which could help the auditor to prioritize the most relevant findings in the triaging process; labels such as use-detected for 3rd party libraries, OWASP:A01:2021 or CWE-22 for all findings could help auditors to search and filter findings along different dimensions which relates to Vulnerability groups.
3. connect tools with (potentially automated) actions in the Vulnerability Report; for example we could automatically dismiss findings based on a label that has been provided by a tool. In this sense, labels could work as a connection point between tools and (potentially automated) actions such as Auto-dismissals.