Skip to content

Upgrade the DAST JSON report to schema 15.x.x

Problem

The Security report schema 14.x.x will be deprecated from GitLab 15.8, and removed in 16.0. To avoid a warning to users using DAST, the schema should be upgraded to 15.x.x before GitLab 15.8 is released.

Proposal

  • DAST should produce a Secure report version 15.x.x when running on GitLab 15.4 and above.
  • DAST should produce a Secure report version 14.x.x when running on GitLab 15.3 and below.

Implementation plan

  • DAST should read the CI_SERVER_VERSION_MAJOR and CI_SERVER_VERSION_MINOR CI/CD variables that are provided by GitLab
  • When MAJOR/MINOR version is 15.3 and below, DAST Python should produce a report that conforms to schema 14.1.2 (the same as it produces at time of writing)
  • When MAJOR/MINOR version is 15.3 and below, Browserker should produce a report that conforms to schema 14.1.2 (the same as it produces at time of writing)
  • When MAJOR/MINOR version is 15.4 and above, DAST Python should produce a report that conforms to schema 15.0.2
  • When MAJOR/MINOR version is 15.4 and above, Browserker should produce a report that conforms to schema 15.0.2
  • Configuration will likely need to be passed to Browserker to configure which version of the report it should conform to
    • Alternatively, Browserker could read the CI_SERVER_VERSION_XXX CI/CD environment variables. If you take this approach, please don't use the CI/CD variable outside of the config package. This will ensure itC easy to introduce configuring Browserker using environment variables, which will be required when Browserker runs stand-alone from DAST Python
  • Changes to the 15.x.x schema involves:
    • Remove vulnerabilities[].cve
    • Remove vulnerabilities[].scanner
    • Remove vulnerabilities[].category
    • Remove vulnerabilities[].discovered_at (move it to vulnerabilities[].details.discovered_at if it's easy)
    • Remove vulnerabilities[].confidence
    • Remove vulnerabilities[].message
    • Make sure scan.start_time/end_time conform to the new pattern
  • Test producing schemas in both format. I'd recommend that there is at least one end-to-end test run for each supported schema version
Edited by Cameron Swords