WIP: 6717 store sast vulnerabilities in database
What does this MR do?
Allow to parse and store SAST security reports into database.
This MR is based on the recent reports feature that allows to easily define job artifacts as reports to parse them on BE and provide structured data.
This MR follows the same approach to extend job definition for SAST
, Dependency Scanning
, Container Scanning
and DAST
features. But instead of providing access to the reports from pipeline/MR widget, it automatically parses and store reports in DB after pipeline has completed its execution. Being able to parse and compare artifacts on demand for MR widget an pipeline views to provide nice reports for FE will be done in next iterations.
Please note that Security Reports are EE only feature so this MR add some changes to CE code to allow its extension via EE modules. Once this MR is approved a backport of these changes will be submitted in another MR on CE.
Parsing
Currently only the SAST parser has been implemented but this MR includes logic and parser skeletons for other type of security reports. This will make it easier to provide other parsers without burden and conflicts.
AR Model
See https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/6896
Remaining tasks
-
add tests
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
Tests added for this feature/bug -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the database guides -
EE specific content should be in the top level /ee
folder -
For a paid feature, have we considered GitLab.com plans, how it works for groups, and is there a design for promoting it to users who aren't on the correct plan?