Support remediations in Dependency Scanning report
What does this MR do?
This adds support for the new remediations to the Dependency Scanning store. It searches the matching remediation for a vulnerability. The new report format looks like this (shortened). So in that example the last two vulnerabilities are fixed by the same remediation, while the first has no fix.
{
"version": "2.0",
"vulnerabilities": [
{
"category": "dependency_scanning",
"cve": "rails/Gemfile.lock:nokogiri:gemnasium:78658378-bd8f-4d79-81c8-07c419302426",
"more-info": "..."
},
{
"category": "dependency_scanning",
"cve": "yarn/yarn.lock:debug:gemnasium:37283ed4-0380-40d7-ada7-2d994afcc62a",
"more-info": "..."
},
{
"category": "dependency_scanning",
"cve": "yarn/yarn.lock:saml2-js:gemnasium:9952e574-7b5b-46fa-a270-aeb694198a98",
"more-info": "..."
}
],
"remediations": [
{
"diff": "...",
"fixes": [
{
"cve": "yarn/yarn.lock:saml2-js:gemnasium:9952e574-7b5b-46fa-a270-aeb694198a98"
},
{
"cve": "yarn/yarn.lock:debug:gemnasium:37283ed4-0380-40d7-ada7-2d994afcc62a"
}
],
"summary": "Upgrade to saml2-js@1.14.2"
}
]
}
What are the relevant issue numbers?
- Related to #5656 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the database guides -
Link to e2e tests MR added if this MR has Requires e2e tests label. See the Test Planning Process. -
EE specific content should be in the top level /ee
folder -
For a paid feature, have we considered GitLab.com plans, how it works for groups, and is there a design for promoting it to users who aren't on the correct plan? -
Security reports checked/validated by reviewer