Enrich Container Scanning report with more metadata (#5528) · Issues · GitLab.org / GitLab

Enrich Container Scanning report with more metadata

Refs: gitlab-org/gitlab-ee#5043

As we are enriching our sast reports with more data, we can do the same with Container Scanning. Currently, we only display the priority, the identifier (with a link on mitre.org), and the affected layer (ex: "debian:8"):

In the raw report, we can more information, and it can be useful for the user, especially the impacted component (what clair is naming a Feature):

Proposal:

Title:

<CVE_ID> in <library_name>
<CVE_ID> if <library_name> is not available

Description:

<library_name>:<library_version> is affected by <CVE_ID>.
<library_name> is affected by <CVE_ID>. if library version is not provided
<namespace> is affected by <CVE_ID>. if library name is not provided

Severity:

We do it correctly on backend (for Group Dashboard) but it seems that indeed all other places relying on frontend doesn't normalize the severity into our own set of values. We can check and fix that easily on frontend.

Confidence:

Omit and do not show.
In dashboard show - in the confidence column

Location / namespace:

We currently show the namespace, we can improve by adding the image name and tag too.

Image

Include image name

File

Omit. Not Applicable at the moment.

Solution

Keep where applicable

/cc @bikebilly

Refs: gitlab-org/gitlab-ee#5043

As we are enriching our `sast` reports with more data, we can do the same with Container Scanning.
Currently, we only display the priority, the identifier (with a link on mitre.org), and the affected layer (ex: "debian:8"):

![Screenshot_2018-04-02_10.21.34](/uploads/71f9e34f8a4b788b8627e24bcd2d94fe/Screenshot_2018-04-02_10.21.34.png)

In the raw report, we can more information, and it can be useful for the user, especially the impacted component (what clair is naming a `Feature`):

![Screenshot_2018-04-02_10.24.33](/uploads/bceea8ef9b94c63b5c149797da1e599f/Screenshot_2018-04-02_10.24.33.png)

### Proposal:

#### Title: 
- `<CVE_ID> in <library_name>`
- `<CVE_ID>` if <library_name> is not available

#### Description: 
- `<library_name>:<library_version> is affected by <CVE_ID>.`
- `<library_name> is affected by <CVE_ID>.` if library version is not provided
- `<namespace> is affected by <CVE_ID>.` if library name is not provided

#### Severity: 
- We do it correctly on ~backend (for Group Dashboard) but it seems that indeed all other places relying on ~frontend doesn't normalize the severity into our own set of values. We can check and fix that easily on ~frontend.

#### ~~Confidence:~~ 
- Omit and do not show.
- In dashboard show `-` in the confidence column

#### Location / namespace:
- We currently show the namespace, we can improve by adding the image name and tag too.

#### Image 
- Include image name

#### ~~File~~
- Omit. Not Applicable at the moment.

#### Solution
- Keep where applicable