As Security Products have evolved independently over the last year we have stacked some technical debt and have now discrepancies in our architecture. To avoid mistakes and improve maintenance we need to align them. This also helps providing a similar usage, making it easier for our users to integrate these features. Migrating from current state to our final goal has several implications over the whole stack (Rails BE/FE, wrapper project, common library) and it’s not easy to follow them. This is even more important than some steps are required to be released synchronously or happen in a specific order. **This Epic is about following what needs to be done for Container Scanning.** ## Current state - ~frontend fetches raw clair scanner report (vendor format) from artifacts for Project Level Security Dashboard, Merge Request Widget and Pipeline View. - ~backend parses raw clair scanner report (vendor format) from artifacts to store vulnerabilities in database for reports executed on the `default_branch`. - actual job definition uses clair scanner directly with the new `reports` syntax - previous job definition using clair scanner directly with the OLD `artifacts` syntax has been deprecated in `11.5`, to be removed in `12.0`. ## Migration path 1. * [x] %"11.9" - Put the job definition into the vendored include: https://gitlab.com/gitlab-org/gitlab/issues/8662 1. * [x] Deprecate the job definition directly using clair scanner in favor of the vendored include 1. * [ ] %"11.10" - ~~Wrap Clair scanner execution into our own container scanning tool: https://gitlab.com/gitlab-org/gitlab/issues/9244.~~ This has been replaced by the Clair analyzer below. 1. * [x] %"12.0" - Remove Feature Flag for parse_container_scanning_reports: https://gitlab.com/gitlab-org/gitlab/issues/9229 1. * [x] Drop support for the very old job definition using clair with the `artifacts` syntax (not the `reports` one). 1. * [x] %"12.3" - Wrap Clair execution into a dedicated analyzer: https://gitlab.com/gitlab-org/gitlab/issues/13069. This analyzer should produce a report that is backward compatible with the previous implementation 1. * [x] %"12.3" - Update the vendored job definition to use this analyzer instead of clair scanner. https://gitlab.com/gitlab-org/gitlab/issues/11003 1. * [x] %"12.4" - Use ~backend parser to process raw artifacts and provide nice and standardized API to ~frontend for Merge Request Widget and Pipeline view. https://gitlab.com/gitlab-org/gitlab/issues/11978 and https://gitlab.com/gitlab-org/gitlab/issues/12004 1. * [x] %"12.4" - Integrate Container Scanning properties into the Security Products Common format: https://gitlab.com/gitlab-org/gitlab/issues/9610) 1. * [x] %"12.7" - Make Clair analyzer generating a report compatible with our common format by leveraging the common library. This requires to support both new and old report format in the rails backend. https://gitlab.com/gitlab-org/gitlab/issues/32934 1. * [x] %"13.0" - Drop support for the old job definition using clair with the `reports` syntax (producing the raw Clair scanner report format). At this point we only accept reports with the common format. https://gitlab.com/gitlab-org/gitlab/issues/35442