Dependency list is not showing related vulnerabilities from container-scanning reports
Summary
We have recently enabled generating Dependency Scanning report in container-scanning
analyzer. This helps us better understand what is installed in the container image. However Dependency List is not showing related vulnerabilities from container-scanning
reports:
Steps to reproduce
- Clone https://gitlab.com/gitlab-org/protect/demos/sandbox/test-cs-with-lang-vulns
- Run pipeline for cloned project
- Go to Security & Compliance -> Vulnerability report, you will see vulnerabilities found for Java packages
- Go to Security & Compliance -> Dependency list, you will see that vulnerabilities are not presented in this list
Example Project
https://gitlab.com/gitlab-org/protect/demos/sandbox/test-cs-with-lang-vulns
What is the current bug behavior?
Vulnerabilities found in container-scanning
analyzer are not presented as detected vulnerabilities in Dependency List:
What is the expected correct behavior?
Vulnerabilities found in container-scanning
analyzer are presented as detected vulnerabilities in Dependency List:
Relevant logs and/or screenshots
Possible fixes
- Update https://gitlab.com/gitlab-org/gitlab/blob/master/ee/app/services/security/dependency_list_service.rb#L4 to fetch vulnerabilities from
container-scanning
report when preparing a dependency list.
Edited by Alan (Maciej) Paruszewski