Add support for Security Report Schema 15-0-0 to Container Scanning
Why is this change being made?
Update Container Scanning so that it can generate reports that validate the Security Report Schema 15-0-0
when it's configured to so. To maintain backward compatibility, it can still generate reports that validate 14-1-2
, and this is what it does by default.
A new internal CI variable is introduced so that we can select the MODEL of the Security Report Schema, and select between 14
and 15
. The variable defaults to 14
.
Adds a CS_SCHEMA_MODEL
environment variable, which allows switching the schema. This var defaults to 14
.
Security Report Schema 15 differences
The following fields have been removed in the 15
schema:
vulnerabilities[].category
vulnerabilities[].message
vulnerabilities[].cve
vulnerabilities[].confidence
vulnerabilities[].scanner
The following fields have been changed in the 15
schema:
-
vulnerabilities[].description
- max length changed to1,048,576
. -
vulnerabilities[]. solution
- max length changed to7,000
.
Testing
Tested with the updated Container Scanning template:
- Tested with default
CS_SCHEMA_MODEL
in this pipeline produces a gl-container-scanning-report.json conforming to schema15.0.4
. - Tested with
CS_SCHEMA_MODEL: 14
in this pipeline produces a gl-container-scanning-report.json conforming to schema14.1.2
.
What are the relevant issue numbers?
Adopt security report schema 15-0-0 in Containe... (gitlab-org/gitlab#364369 - closed)