Use common output format for Container Scanning reports
Problem to solve
After adding the necessary properties to the Common library to support container scanning vulnerabilities we need to leverage it in our Klar analyzer so that it generates a JSON report that follows the common format.
Proposal
To cover this need, we need to address two main parts
- add a new parser in the rails backend to support the new container scanning reports
- update the Klar analyzer so that it uses the common library to generate a JSON report that follows the common format. This will be a new major release of the analyzer and the container scanning vendored template should explicitly use that new version, where older releases of GitLab will stay with current
1.x
version.
Implementation Plan
-
Container Scanning report common output: Re-write klar analyzer using golang -
Container Scanning report common output: Add rails parser for new report format -
Container Scanning report common output: Execute clair server as a subprocess within the analyzer
Documentation
-
Update container scanning documentation to include details about the new output format.
Testing
What does success look like, and how can we measure that?
The Container Scanning reports are following the common format.
What is the type of buyer?
Links / references
Edited by Adam Cohen