Include the CVSS information in the CSV export
Why are we doing this work
The CVS export of the vulnerability page should reflect the newly added CVSS vector information.
Relevant links
n/a
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: The performance of the CSV export functionality should not regress. -
Testing: Specs should be updated to verify that the CVSS vectors are included in the CSV export.
Implementation plan
Update the CSV service
-
Add a CVSS_DELIMITER
andCVSS_FORMATTER
that will be used to format the CVSS vectors.-
The CVSS_DELIMITER
should be;
-
The CVSS_FORMATTER
should format the vectors in the following style[VENDOR]=[VECTOR_STRING];[VENDOR]=[VECTOR_STRING]...
-
-
Update the CSV mapping to include the cvss_vectors
field using theCVSS_FORMATTER
lambda. -
Update the specs to check for the newly expected CSV output. -
Add to the headers
theCVSS Vectors
header.
-
Update the vulnerability export service
-
Update the expectations so that they include the expected CVSS vectors. -
Verify that the export service specs fail after the changes. If they do not, ensure that the matchers used are updated so that they do.
-
-
Add documentation to Gitlab doc mentioning adding a new field with an explanation to the existing list in the docs.
Verification steps
- Create a sample project with vulnerabilities.
- Run the dependency scanning jobs and ensure that the vulnerabilities are created with the CVSS vector information.
- Export the vulnerability report in CSV format, and verify that the vectors appear there as well.
Edited by Oscar Tovar