►
Description
Secure stage brainstorming session on handling SchemaVer changes made to our Security Report Schemas
Agenda doc: https://docs.google.com/document/d/179JL5RzbgSIz2XZewbYn79cuX7_vUtte_TcoLwUUC5o/edit#
Security Report Schemas: https://gitlab.com/gitlab-org/security-products/security-report-schemas
A
A
This
will
use
to
capture
which
the
vendor
is
providing
the
scanner
default.
You
negate
lab
well,
maybe
not
technically
default,
indicate
lab,
but
by
usage
we
are
all
good
lab
and
it
can
also
do
things
like
white
source,
so
I
skimmed
through
that
merger
question
related
issue.
I,
don't
know
if
someone
else
has
more
context
around
that,
but
we
may
need
this
in
the
future
for
showing
vendors.
A
A
If
we're
talking
about
two
different
things,
you
we're
talking
about
adding
this
as
a
required
field
to
our
schema
and
whether
or
not
that
reflects
in
our
UI
as
well,
okay,
so
current
states,
thank
you
absent
cam
for
adding
these
points
when
adding
a
new
optional
field.
So
far,
it's
been
considered
an
addition,
change
and
quick
refresher
on
schema,
ver
model
revision
edition.
A
B
I
think
one
of
the
confusing
parts
are
part
of
the
discussion
around.
This
was
understanding
the
scope
of
that
versioning.
So
if
we're
just
talking
about
the
versioning
of
the
schema
and
the
JSON,
maybe
the
the
conversation
is
just
around
that
and
then
what
rails
does
is
a
separate
conversation
right.
So
whether
rails
requires
a
version
whether
it's
backwards
compatible,
whether
it
defaults
values,
things
of
that
sort,
I
think
that
might
be
a
separate
issue.
I
think
when
we're
talking
about
schema
version
and
how
we
handle
that.
B
But
that
really
needs
to
be
its
own
atomic
discussion
right
like
what's
the
right
way
to
do
that
from
schema,
and
then
the
rails
is
a
separate
question
right,
like
we
can
say:
okay
rails,
if
you
don't
have
the
required
field,
fill
it
in
with
a
default
whatever,
but
I
think
we
don't
want
to
conflate
those
two
because
it
gets
really
messy.
If
we
do
that
and
it's
it's
not
technically
accurate.
C
You're
absolutely
right,
I
think
that
was
the
part
that
was
not
obvious
to
everyone
and
yeah.
We
I
don't
see
the
problem
with
saying
that
from
now
on,
this
field
is
required
in
all
the
reports.
It's
not
tied
to,
as
you
said,
to
the
race
back
end,
that
the
field
will
always
be
optional
for
the
race
bike
in,
for
example,
and
that's
that's
fine.
If
you
don't
add
value,
we
don't
just
don't
display
anything.
That's
not.
B
C
B
Just
so,
if
we
said
it's
required
and
we
agree
that
that's
a
new
schema
version
bomb,
that's
fine!
That's
how
we
handle
it
on
the
schema
and
then
the
rails.
We
get
to
decide
how
that
handles
it.
Maybe
it
can
handle
back
to
version
1
or
version
2
or
whatever
we
said.
Rails
has
to
have
a
minimum
version
or
whatever,
but
that's
a
separate
issue.
What
the.
C
D
C
B
C
C
E
B
A
A
A
B
I
think
again,
I
think
this
is
where
we're
completing
it
it's
required
in
the
schema.
If
you
produce
a
report,
we
we
need
the
vendor
name,
so
it
has
to
be
in
the
schema
and
anyone
building
a
scanner
has
to
provide
it
on
the
schema.
So
when
you're
writing
your
analyzer,
if
you're
on
version
2-
and
you
want
to
go
to
version
2
point
whatever
this
is-
you
have
to
have
that
field
on
the
rails
rails
is
going
to
treat
it
as
nice
to
have
if
it
can
get
it
great,
it's
gonna
display
it.
C
B
Yeah
and
that's
the
way,
if
you
have
an
analyzer-
and
you
don't
have-
let's
say
the
scanner
name,
you
would
use
a
previous
version
of
the
schema
version.
So
you'd
use
a
previous
version
and
at
some
point,
get
lab
is
going
to
say:
hey.
We
no
longer
support
that
version
in
the
rails.
App.
You
need
to
go
up
to
the
new
version
of
the
schema.
C
E
E
We
did
something,
let
you
a
similar
image
or
children,
because
it's
what
I
was
going
to
say.
We
already
did
that
something
similar
in
the
past,
because
when
we
move
to
the
legacy
format
to
this
one,
we
moved
from
an
array
at
the
top
level
to
an
object.
So
this
was
a
breaking
change
and
we
moved
to
version
one
to
version
one
to
version
two
and
we
wait
to
any
supported
version,
one
for
quite
some
time
until
a
major
version
of
gitlab,
for
example.
So
this
is
a
similar
process
here.
It's
just
that
now.
A
A
The
idea
of
I
guess
I'm,
it's
easy
for
us
to
to
find
rules
around
the
schema
to
ensure
that
we
get
all
the
data
we
need.
That's
I,
guess
that's
the
big
difference
between
the
revision
and
the
addition.
Is
that
whether
or
not
we
care
about
processing
that
data
so
requiring
the
vendor
works
for
us
when
we
don't
use
it,
but
once
we
start
requiring
it,
that
will
be
the
major
version
bump.
E
Strictly
required
from
a
functionally
II
perspective,
from
what
kids
recoiled
from
a
design
perspective
like.
If
you
don't
provide
the
vendor
well,
it
will
show
an
empty
string
somewhere
in
the
UI.
It
won't
break
the
variety
management
processing
and
any
of
the
workflow
based
on
the
variety
you
should
don't
provide
the
primary
identifier.
Things
would
just
break
so
Daddy.
B
B
A
A
A
E
B
B
E
Now
because
in
it
I
mean
this
is
a
very
very,
it
would
be
a
very
specific
use
case,
but
usually
you
would
have
such
need
when
adding
a
new
feature.
So
let's
say
we're
adding
a
feature
in
a
new
minor
version
of
gate
lab,
and
this
requires
specific
data,
so
it
requires
a
new
field
to
be
present.
So
from
this
new
version
of
the
schema,
the
property
is
required
and
if
you
want
a
feature
to
work
in
it
lab
you
need
to
have
this
version
of
the
schema
with
the
required
field.
E
But
if
you,
if
you
don't
provide
this
information,
give
like
we
see
work,
you
would
just
you
just
won't.
Have
this
feature
so
on
the
right
side,
we
will
develop
that
feature
to
work
only
if
the
data
is
available
yeah
and
if
you
can't,
then
we
have
to
do
a
breaking
change
in
the
minor
version
of
gibla
right.
Wait
for
the
major
one
yep.
B
Yeah
and
I'm
fine
in
this,
particularly
like
we
can
just
keep
this
to
the
concrete
example
we
have
here,
which
is
if
that
about.
If
that
value
is
not
there,
we've
still,
who
else
and
still
Ryan
I'm
sure,
there's
some
counter
examples,
but
there's
no
point
in
going
through
all
those
right
now
we're
trying
to
come
up
with
them.
E
Okay,
so
when
Aeneid
or
crayon
field
is
added
to
the
schema,
it
doesn't
happen.
The
analyzers,
when
analyzer
update
the
reports
to
confirm
to
a
more
recent
version
of
the
format
they
can
add,
is
that
they
can't,
they
must
add
required
fields,
since
it
should
validates
against
the
schema.
They
should
because
good
idea,
but.
E
E
E
A
There's
an
anti-pattern,
but
is
there
utility
in
coordinating
edition,
so
we
can
release
versions
more,
so
we
can
greet
group
changes
rather
than
every
individual
change
to
the
schema
being
or
triggering
a
new
novel
change
me.
That's,
maybe
there's
no
point
in
doing
that.
We
can
just
bump
the
model
as
many
times
as
necessary,
but
I
don't
know
if
that
would
be
valuable
to
consider.
A
E
E
This
one
is
a
bit
tricky.
I
spent
some
time.
Looking
at
this
yeah,
it's
a
it's,
not
clear
anymore
in
my
mind,
but
yeah
this
additional
property
is,
is
at
Siam,
I
love
sitting
for
the
schema.
That
say,
is
the
report
valid
if
it
contains
only
what
is
mentioned
in
the
schema
or
if
it
contains
at
least
what
is
in
the
schema.
So
if
funders,
if
so
value,
for
example,
up
crushing
more
properly
that
what
we
declare
in
the
schema
with
additional
prepare
is
true,
it
will
work,
they
will
click
considered
valid.
E
Not
exactly
clear
in
my
mind
and
the
implication,
but
additional
prayer
is
mean
if
it's
true
it
means
you
can
already
have
many
additional
fields
in
the
report
and
it's
considered
valid.
So
if
you
add
one
or
any
one
add
one,
it
doesn't
change
anything.
So
it's
more
like
a
revision
than
model
change,
because
there
is
no.
There
should
be
no
breaking
changes.
Otherwise
means,
if
any
wonder,
provide
a
report
that
contains
additional
fur.
That
is,
and
we
all
know
that
it
could
break
our
app.
We
don't
want
this.
Do
we.
E
B
E
What
they
can
do,
then,
is
I
mean
I
CLE.
This
is
still
my
vision.
I,
don't
think
we
have
settled
something
that
is
agreed
on
the
world
stage,
but
the
purpose
of
the
report.
The
secure
report
is
to
feed
the
arrays
application
and
its
features,
so
everything
that
we
don't
liberate.
We
don't
need
into
this
report.
E
If
they
are
available,
then
she's
a
report,
but
we
don't
pass
it
on,
add
story
in
the
database.
It
will
disappear
with
the
garbage
collection
of
the
artifact
anyway,
so
I
mean
not
a
big
deal.
We
can
share
that
later,
but
at
least
is
the
current
situation
for
additional
properties,
but
I
think
there
are
other
arguments
to
keep
it
this
way,
but
I,
don't
recall
them,
I'm,
sorry,
so
anyway,
right
now
it's
true.
So,
okay.
A
A
B
A
E
E
B
Sometimes,
when
your
mats-
and
we
don't
worry
about
the
old
code,
so
if
you
have
old
artifacts,
it
might
still
be
working.
Just
fine
I
think
that's
the
the
biggest
challenge
here
is
rails.
How
much
rails
knows
about
the
schema
changes
versus
how
much
rails
is
just
smart
and
says:
hey
I
don't
have
that
field.
B
Let
me
do
this
and
I
think
that's
something
that
we
need
to
define
very
closely
as
to
just
rails,
who's
ever
program,
that
rail
side
need
to
go
and
look
at
the
schema,
changes
and
understand
ever
change
or
are
we
gonna?
Have
some
guidelines
like
hey?
Look
for
you
know
anything
between
these
versions
and
if
you
don't
have
the
field
just
fill
it
in
or
make
it
blank
and
I,
don't
know
if
there's
a
standard
answer
to
that
question.
B
A
I
think
I'd
also
get
in
gets
into
the
the
pinning
to
minor
version
in
our
CI
templates,
because
a
certain
point
analyzers
are
still
pointing
in
the
latest
version
and
if
you're
still
on
12.9
things
are
going
to
get
bad.
So
it's
we
really
have
like
three
separate
versions
that
we're
coordinating
yeah.
B
Yeah
exactly
so,
if
you
pin
to
an
old
version
of
the
analyzer,
the
old
version
of
a
minor
is
spitting
out
an
old
version.
The
schema
and
rails
doesn't
handle
that
old
version.
The
schema,
everything's
gonna
work
and
then
it's
gonna
go
to
parse
it
minutes.
Gonna,
say
I,
don't
understand
that
schema
version,
or
it
meant
just
there.
A
lot.
A
E
B
Yeah
I
mean
the
way
I
would
see.
This
is
potentially
that
the
rails
app
has
a
in
a
loud
list
of
version
numbers
for
the
schema
version.
So
rail
says
if
it's
version,
blah
blah
blah
blah
blah
blah
blah
I
know
how
to
deal
with
it
and
it
sends
it
to
its
own
parser
and
then
I
could
see
rails
saying
okay,
this
is
a
version
that
is
not
on
my
allow
list
and
it
needs
to
convert
that
into
some
kind
of
error
message.
It
goes
out
to
the
user
and
that
could.
A
A
E
E
A
If
you're
using
something
like
burger
crest
approvals,
then
that
should
be
covered
because
much
of
us
approval
is
reset
approvals
on
push
events,
so
it
will
default
to
unapproved
rather
than
approved.
I.
Think
that's
the
only
case
where
we're
really
I
think
merchandise.
Approvals
is
the
only
real
feature
we
provide
currently
for,
like
active
gating.
B
E
E
B
Yeah,
it's
just
a
problem,
it's
the
scope
of
testing
right.
So
if
we
on
the
gas
side,
we
add
a
field,
if
it's
not
there
and
then
there's
there
we'll
test
that,
but
we
have
a
potential
breaking
something
from
any
of
the
other
teams,
because
our
window
is
very
limited
as
opposed
to.
If
our
window
was
the
dashboard,
we
have
to
make
sure
that
we
can
read
all
the
reports
and
deal
with
those
consistently
well.
A
B
E
A
E
Have
additional
trouble
is
that
I
useful
for
display,
mainly
today,
if
we
change
and
add
behavior,
this
behavior
should
be
conditional
to
the
presence
of
the
data,
so
any
even
remedy
that
don't
have
it,
whether
because
it's
an
all
day
it
or
because
it's
a
different
report
type
that
doesn't
probably
provide
that
data.
The
features
should
just
be
disabled,
but
it
should
not
break.
B
Yeah
I'm
thinking
like,
for
example,
if
if
we
add
a
field
dashed
at
the
field,
we
go
update
the
rails
parser.
We
have
all
that
data
in
there,
and
so
we
may
neglect
testing.
If
that
feels
not
there,
although
I
guess
technically,
we
should
test
if
the
fields
not
there
for
backwards
compatibility
yeah.
E
B
We
don't
test
our
own
backwards
compatibility
now,
so
there's
that
scenario
right,
which
would
just
be
not
necessarily
good
engineering
but
like
it
could
happen
where
we
know
on.
Maybe
almost
all
of
our
users
are
in
the
latest
version
right.
So
we
test
that
field
works.
We
forget
to
test
backwards,
compatibility,
we
roll
this
out
immediately.
It
would
break
stuff
for
other
teams.
B
E
The
way
the
parser
are
made,
you
have
a
current
password
that
should
contain
all
the
common
behaviors.
So
if
this
is
something
very
specific
to
test
I,
don't
I,
don't
think
I
mean
I,
don't
see
anything
yet
that
could
break
the
others.
If
it's
just
not
done
for
the
others,
it
just
don't
do
anything
additional
to
the
user
workflow.
So
it's
just
a
matter
of
when
we
leverage
that
additional
information
and.
B
E
Far
most
of
them
are
just
for
display,
but
if
we
start
adding
features
well,
then
people
definitely
need
to
think
more
about
well
testing
the
feature
but
yeah.
It
could
happen
that
you're
testing
just
for
the
death,
the
remedies
and
not
trying
to
display
it
was
apples
of
reality
page
for
another
type
and
they
break
it
can
happen.
I.
B
A
That
was
for
the
the
security
reports,
repo
that
uses
fixtures
of
old
security
reports
for
free,
easy
testing,
and
that
was
there.
The
scanner
object
was
missing,
which
was
added
like
in
an
older
version
of
that
probably
had
like
six
months
ago
to
the
container
Scania
reports.
So
is
parsing.
An
old
copy
of
the
container
scan
reports
that
didn't
have
a
scanner
object.
I
want
to
archive
that
repo
by
the
way.
But
this
sure
it's.
B
A
B
A
B
E
E
But
this
is
outer
when
transferring
to
a
new
major
version,
because,
depending
on
how
much
time
you
have
difficut
ideale
report
or
you'll,
say
hey,
we
are
deep
rigging
these
versions,
it
schema.
If
we
just
take
three
months,
it's
it's
really
tricky.
We
should
avoid
that.
We
should
keep
it
deprecated
for
a
very
long
time
because
say
in
in
February
or
March
you
have
the
older
version
of
the
schema,
and
now
in
May
we
say:
hey,
we
drop,
we
duplicate
it
and
then
you
may
say
we
no
longer
support
remove
it.
E
A
B
Certainly
not
on
and
I
I,
don't
know
why
we
would
encourage
people
to
pin
to
a
particular
version,
I
view
pinning
to
a
version.
As
a
great,
like
you
said,
a
troubleshooting,
our
support
thing
like
hey:
it's
not
working
I
just
and
then
they
go.
Oh
yeah.
We
released
a
new
version
of
the
SAS
scanner
last
week.
Why
don't
you
pin
to
a
previous
version
and
they
they
get
it
working?
So
that's.
That's
the
only
case
that
I
would
I
would
recommend
a
customer.
Do
it.
A
B
A
B
If
we
have
the
regression
test,
so
if
rails
tests
against
version
to
2.1
2.2,
it
doesn't
matter
what
we
do
with
schema
version,
because
if
we
say
three,
four
or
five,
whatever
you
know
bump
those
two
major
releases
as
long
as
rails
knows
what
the
parse
and
has
a
test
suite.
Those
versions
are,
to
a
large
degree,
arbitrary
to
Rails.
E
Right
and
what
I
wanted
to
say
here
is
it's
misleading
that
we
know
which
two
new
versions
came
out?
Let's
say:
hey,
you
have
asked
an
object
that
provides
these
entities
information,
but
the
race
implementation
is
not
done
yet.
So
people
might
try
to
use
this
new
version
of
the
schema,
but
they
won't
see
any
benefit
from
it.
So
maybe
we
should
try
to
synchronize
those
education.
B
E
It's
easier
to
do
this
way
because
it's
just
clarifies
a
specification
and
it's
easier,
because
if
we
start
implementing
a
feature
and
then
go
back
and
say
this
is
how
the
data
should
be.
It's
a
bit
complicated,
it's
more
from
the
advertisement
around
this.
So
if
we
keep
this
as
other
release,
candidate
I
think
it's
fine,
because
it's
an
upcoming
feature.
It's
not
yet
my
register.
E
Again,
it's
not
a
big
deal,
but
if
some
integrators
are
looking
closely
at
our
new
version
of
the
schema,
they
may
try
to
to
use
them
and
do
and
even
for
us
people
see
that
the
schema
has
asked
an
object.
An
engineer
might
find
a
where
is
this
used
in
the
application?
I,
don't
know
about
this
one
right.
B
So
in
terms
of
doesn't
handle
it,
we're
really
talking
still
graceful
failures.
We
haven't
yeah
and
I.
Don't
think
we
need
to
go
through
like
what
would
happen
if
it's
a
catastrophic
break
or
like
really
a
breaking
change,
that
rails
has
no
way
to
handle
I
think
we
can
talk
about
that
when
we
actually
run
across
that
scenario.
A
B
B
A
B
B
We
would
obviously
want
to
check
make
sure
all
our
internal
analyzers
are
complying
with
that,
and
that
might
be
something
that
we,
when
we
release
a
new
version
of
a
schema.
We
say
this
will
be
required
by
such
and
such
date.
So
if
we're
really
versions
of
the
schema,
we
could
say
version
3
of
the
schema,
which
has
all
these
required
fields
must
be
emitted
by
your
analyzer
by
whatever
this
time
next
year
for
440
now.
So
anyone.
B
A
This
might
be
asking
too
much.
This
feels
a
bit
JSON
API
II,
but
is
there
a
way
within
schema,
ver
to
specify
relational
like
fields
with
deprecation
timelines
or
versions
or
or
anything
like
that?
Leave
for,
like
a
metadata
property
on
schema,
verb
for
field
support?
I,
don't
feel
like
there
is
anything
like
that,
but.