Vulnerabilities on the dependency page do not match vulnerability report page
Summary
While on the dependency page, the vulnerabilities associated underneath a dependency do not match the vulnerabilities on the vulnerability page. Specifically, the severity states do not match.
Steps to reproduce
- Create java project with pom file
- Include dependency com.fasterxml.jackson.core/jackson-databind:2.9.8
- Run dependency scan
What is the current bug behavior?
- Dependency List shows less vulnerabilities than Vulnerability Report
What is the expected correct behavior?
Dependency List and Vulnerability Report show same vulnerabilities
Relevant logs and/or screenshots
Possible fixes
(debated in Root cause of the bug)
this bug happens because of the way how vulnerabilities are picked up into Dependency List response. A special key is used to identify if this is new or already reported vulnerability https://gitlab.com/gitlab-org/gitlab/-/blob/7ccd7a019efe8b61fa3e9962a17197ed423d0006/ee/lib/gitlab/ci/reports/dependency_list/dependency.rb#L31
this key is based on name of vulnerability rather than its identifier. So in case of vulnerabilities with the same name but different CVEs, only first vulnerability will be picked into report.
Implementation plan
- add
id
field toee/spec/fixtures/security_reports/dependency_list/gl-dependency-scanning-report.json
as this fixture will be used to test this feature (and the fixture is outdated) - Add
id
to schema thatFormatters::DependencyList
produces. - Add
id
as a part ofDependencyList::Dependency#composite_key
- Add regression test for
#add_dependency
to check that vulnerabilities with the same name process correctly