Use common output format for Container Scanning reports

Problem to solve

After adding the necessary properties to the Common library to support container scanning vulnerabilities we need to leverage it in our Klar analyzer so that it generates a JSON report that follows the common format.

Proposal

To cover this need, we need to address two main parts

• add a new parser in the rails backend to support the new container scanning reports
• update the Klar analyzer so that it uses the common library to generate a JSON report that follows the common format. This will be a new major release of the analyzer and the container scanning vendored template should explicitly use that new version, where older releases of GitLab will stay with current 1.x version.

Implementation Plan

1. Container Scanning report common output: Re-write klar analyzer using golang
   • gitlab-org/security-products/analyzers/klar!11 (merged)
2. Container Scanning report common output: Add rails parser for new report format
   • !19123 (merged)
3. Container Scanning report common output: Execute clair server as a subprocess within the analyzer
   • gitlab-org/security-products/analyzers/klar!16 (merged)

Documentation

1. Update container scanning documentation to include details about the new output format.
   • !20198 (merged)

Testing

What does success look like, and how can we measure that?

The Container Scanning reports are following the common format.

What is the type of buyer?

GitLab Ultimate

Links / references