Enrich Container Scanning report with more metadata
Refs: gitlab-org/gitlab-ee#5043
As we are enriching our sast
reports with more data, we can do the same with Container Scanning.
Currently, we only display the priority, the identifier (with a link on mitre.org), and the affected layer (ex: "debian:8"):
In the raw report, we can more information, and it can be useful for the user, especially the impacted component (what clair is naming a Feature
):
Proposal:
Title:
<CVE_ID> in <library_name>
-
<CVE_ID>
if <library_name> is not available
Description:
<library_name>:<library_version> is affected by <CVE_ID>.
-
<library_name> is affected by <CVE_ID>.
if library version is not provided -
<namespace> is affected by <CVE_ID>.
if library name is not provided
Severity:
- We do it correctly on backend (for Group Dashboard) but it seems that indeed all other places relying on frontend doesn't normalize the severity into our own set of values. We can check and fix that easily on frontend.
Confidence:
- Omit and do not show.
- In dashboard show
-
in the confidence column
Location / namespace:
- We currently show the namespace, we can improve by adding the image name and tag too.
Image
- Include image name
File
- Omit. Not Applicable at the moment.
Solution
- Keep where applicable
/cc @bikebilly