Correctly deduplicate vulnerabilities with 8 digit image tags
What does this MR do and why?
Exclude 8-digit numbers from the location fingerprint when performing vulnerability deduplication. Relates to https://gitlab.com/gitlab-com/sec-sub-department/section-sec-request-for-help/-/issues/157#note_1678298788.
This means that when two different images are tagged with short hashes such as my-image:62011677
and my-image:e2e32c98
, these will be grouped in the vulnerability report instead of being displayed as separate line items. It's still ambiguous as to whether 62011677
is a hash or a number, but since version numbers rarely become that large this is the quickest way to fix the case where we have a short-ref tagging scheme.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
Start the rails console and run this code:
%w[my-image:e2e32c98 my-image:62011677 my-image:1 my-image:1.0].each do |image_name|
puts Gitlab::Ci::Reports::Security::Locations::ContainerScanning
.new(image: image_name, operating_system: 'alpine', package_name: 'glibc')
.fingerprint_data
end
The expected output is:
my-image:glibc
my-image:glibc
my-image:1:glibc
my-image:1.0:glibc
The output before this change is:
my-image:glibc
my-image:62011677:glibc
my-image:1:glibc
my-image:1.0:glibc
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.