Adam Cohen requested to merge 364369-adopt-security-report-schema-15 into master Mar 10, 2023

Why is this change being made?

Update Container Scanning so that it can generate reports that validate the Security Report Schema 15-0-0 when it's configured to so. To maintain backward compatibility, it can still generate reports that validate 14-1-2, and this is what it does by default.

A new internal CI variable is introduced so that we can select the MODEL of the Security Report Schema, and select between 14 and 15. The variable defaults to 14.

Adds a CS_SCHEMA_MODEL environment variable, which allows switching the schema. This var defaults to 14.

Security Report Schema 15 differences

The following fields have been removed in the 15 schema:

vulnerabilities[].category
vulnerabilities[].message
vulnerabilities[].cve
vulnerabilities[].confidence
vulnerabilities[].scanner

The following fields have been changed in the 15 schema:

vulnerabilities[].description - max length changed to 1,048,576.
vulnerabilities[]. solution - max length changed to 7,000.

Testing

Tested with the updated Container Scanning template:

Tested with default CS_SCHEMA_MODEL in this pipeline produces a gl-container-scanning-report.json conforming to schema 15.0.4.
Tested with CS_SCHEMA_MODEL: 14 in this pipeline produces a gl-container-scanning-report.json conforming to schema 14.1.2.

What are the relevant issue numbers?

Adopt security report schema 15-0-0 in Containe... (gitlab-org/gitlab#364369 - closed)

Edited Mar 17, 2023 by Adam Cohen

Add support for Security Report Schema 15-0-0 to Container Scanning

Why is this change being made?

Security Report Schema 15 differences

Testing

What are the relevant issue numbers?

Merge request reports