Vulnerability dashboard does not aggregate security scanning results from child pipelines
Summary
The Vulnerability Dashboard to view vulnerabilities for the most recent pipeline does not aggregate scan results from two pipelines sources (i.e. child pipelines or multiple container scanning jobs). This completely breaks vulnerability reporting with the Activity filter's automatic vulnerability detection system.
Steps to reproduce
Fork this pipeline and run it if you have the vulnerability dashboard available to you. It uses sample images (randomly grabbed) to produce vulnerabilities from two source images. https://gitlab.com/kotlab/cs-vulnerability-dashboard-example
What is the current bug behavior?
The vulnerability dashboard uses a last in wins when it comes to newly detected or no longer detected vulnerabilities. Eventually all sources lose. Vulnerabilities that do actually exist for container images show up as no longer detected
in the activity filter.
Child pipeline vulnerabilities do not show up in the parent pipeline's security tab on the pipeline view page, either. (Possibly related)
All of the vulnerabilities do show up on the project vulnerability report on the project page, but our security team can't make heads or tails on whether vulnerabilities are still present or not.
What is the expected correct behavior?
Each container source would be tracked separately. (At least for child pipelines)
Relevant logs and/or screenshots
(Omitting details to protect customer privacy)
Output of checks
This bug happens on GitLab.com This bug happens on Self-Hosted instances
Possible fixes
Modify the code that selects the list of vulnerabilities to mark as resolved_on_default_branch
so that it doesn't compare against all jobs run by the same type of scanner.
Implementation Plan
-
Create a feature flag to toggle new/old behavior #417486 (closed) -
Fetch security scans for root pipeline and descendant pipelines (use feature flag). source