Update Security Report format to make the location an array
Problem to solve
The current common format has a vulnerabilities[].location field which is "A node that tells where the vulnerability is located.". While this will be enough in most cases, there are analyzers that will provide a list of locations instead, to report a complete flow to the detected vulnerability.
NOTE: This is NOT about having reporting multiple, distinct locations for the same vulnerabilities.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
Some partners are asking for this change to be able to provide the right data to users: In some cases, the reported Location is a set of locations, like a stack trace. The full control flow is reflected by this array of locations. This change makes sense and could be maybe backward compatible with the current implementation.
Proposal
I see 2 ways (please feel free to suggest other ideas) to achieve this:
- Add a new field to support a kind of stack trace, along with a
vulnerabilities[].location. It's a fully backward compatible change, but breaks the data in two pieces. - Change the current
vulnerabilities[].locationto become avulnerabilities[].location[]. Not backward compatible.
Permissions and Security
N/A
Documentation
Change https://docs.gitlab.com/ee/user/application_security/sast/index.html#reports-json-format and other places where this format is being used.
Testing
Solution 2 requires to update almost all QA and tests.
What does success look like, and how can we measure that?
Users can benefit from extra data from advanced analyzers.
What is the type of buyer?
Links / references
- This could influence the result of this UX discovery: #8426 (closed)