Check if value in CS_DEFAULT_BRANCH_IMAGE is valid
Why are we doing this work
As a part of &5577 (closed) CS_DEFAULT_BRANCH_IMAGE
will be introduced to de-duplicate findings. For the first iteration, we decided not to validate the value set in CS_DEFAULT_BRANCH_IMAGE
. This might cause problems when the image set is invalid and does not exist in already reported findings. This issue will address the validation of CS_DEFAULT_BRANCH_IMAGE
by checking vulnerability_reads
table if the image already exists in location_image
field.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
diff --git a/ee/lib/gitlab/ci/parsers/security/container_scanning.rb b/ee/lib/gitlab/ci/parsers/security/container_scanning.rb
@@ -5,6 +5,8 @@ module Ci
module Parsers
module Security
class ContainerScanning < Common
+ include Gitlab::Utils::StrongMemoize
+
private
def create_location(location_data)
@@ -20,7 +22,18 @@ def create_location(location_data)
def default_branch_image(location_data)
return if @report.pipeline.default_branch?
- location_data['default_branch_image']
+ default_branch_image = location_data['default_branch_image']
+ return unless default_branch_vulnerability(default_branch_image)
+
+ default_branch_image
+ end
+
+ def default_branch_vulnerability(default_branch_image)
+ strong_memoize do
+ ::Vulnerabilities::Read.find_by(project_id: report.project_id,
+ report_type: report.type,
+ location_image: default_branch_image)
+ end
end
end
end
Edited by Dominic Bauer