Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 55.3k
    • Issues 55.3k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.6k
    • Merge requests 1.6k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #5528
Closed
Open
Issue created Apr 02, 2018 by Philippe Lafoucrière@plafoucriereDeveloper

Enrich Container Scanning report with more metadata

Refs: gitlab-org/gitlab-ee#5043

As we are enriching our sast reports with more data, we can do the same with Container Scanning. Currently, we only display the priority, the identifier (with a link on mitre.org), and the affected layer (ex: "debian:8"):

Screenshot_2018-04-02_10.21.34

In the raw report, we can more information, and it can be useful for the user, especially the impacted component (what clair is naming a Feature):

Screenshot_2018-04-02_10.24.33

Proposal:

Title:

  • <CVE_ID> in <library_name>
  • <CVE_ID> if <library_name> is not available

Description:

  • <library_name>:<library_version> is affected by <CVE_ID>.
  • <library_name> is affected by <CVE_ID>. if library version is not provided
  • <namespace> is affected by <CVE_ID>. if library name is not provided

Severity:

  • We do it correctly on backend (for Group Dashboard) but it seems that indeed all other places relying on frontend doesn't normalize the severity into our own set of values. We can check and fix that easily on frontend.

Confidence:

  • Omit and do not show.
  • In dashboard show - in the confidence column

Location / namespace:

  • We currently show the namespace, we can improve by adding the image name and tag too.

Image

  • Include image name

File

  • Omit. Not Applicable at the moment.

Solution

  • Keep where applicable

/cc @bikebilly

Edited Feb 13, 2019 by Andy Volpe
Assignee
Assign to
Time tracking