Data model to store security scanning results
Problem to solve
Results of security scanning (SAST, DAST and others) should be stored in the database in order to implement group-level Security Dashboard where results can be filtered and sorted.
Further details
Right now the security reports presented in projects, MRs and pipelines are loaded from the JSON artifacts generated by SAST, DAST, Dependency Scanning (DS) and Container Scanning (CS). We can't implement the group-level the same way because there would be too many artifacts to fetch and load. The solution is to store the security results in the DB and serve this data to the frontend via the API.
Proposal
This issue addresses the first step: design a data model to store the security scanning results (SAST, DAST, DS and CS) and retrieve them efficiently.
Next steps:
- feed the database automatically using the generated artifacts
- leverage the DB to implement the group-level security dashboard
- rewrite the existing security dashboard & reports using the DB to make them more efficient
These are out of the scope of this issue.
Dismissed vulnerabilities
We can possibly leverage the new data model to better track the vulnerabilities that have been dismissed. See https://gitlab.com/gitlab-org/gitlab-ee/issues/6590#note_92061498
Here are a few links on how it currently works: