Container Scanning should not store vulnerabilities that are whitelisted with Clair config file
Summary
The current implementation of Store container scanning results in the database doesn't distinguish whitelisted vulnerabilities from unapproved
ones.
Steps to reproduce
- Setup Container Scanning on a test project that contains at least one vulnerability
- add a
clair-whitelist.yml
config file with some of these vulnerabilities - run a pipeline
Example Project
What is the current bug behavior?
Whitelisted vulnerabilities that are reported are stored in DB and listed in the Group Security Dashboard.
What is the expected correct behavior?
Whitelisted vulnerabilities that are reported are NOT stored in DB and thus doesn't show up in the Group Security Dashboard.
Possible fixes
Like we do in frontend when parsing the report artifacts directly, we should filter the vulnerabilities
array to only keep CVE listed in unapproved
array when parsing on ~backend.