Prefer scan.scanner over vulnerabilities[].scanner
Why are we doing this work
As discussed in #370925 (comment 1072627524), we no longer accept vulnerabilities[].scanner in the security report schema versions 15-0-0 and above.
However, until we remove support for versions 14-x-x, we still need to honour the property. As @minac said:
we need to change the current logic to use the
scan.scannerif thevulnerabilities[].scannerdoes not exist
Perhaps a better approach is to do the opposite: use scan.scanner and, if absent, fallback to vulnerabilities[].scanner.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
-
Adjust create_scannermethod inlib/gitlab/ci/parsers/security/common.rbto tryreport_data["vulnerabilities"].first["scanner"]iftop_level_scannerreturns no data -
Create a spec for this scenario - Try loading an existing report fixture for this spec and remove the
scan.scannerentry in memory instead of creating a new fixture
- Try loading an existing report fixture for this spec and remove the
Verification steps
- Put this feature behind a feature flag
- Create a project under https://gitlab.com/gitlab-org/secure/tests
- Enable FF for that project
- Push a report that doesn't contain
scan.scannerproperty - Verify that the scanner gets populated correctly in the database
Edited by Mehmet Emin INAC