Container Scanning should not store vulnerabilities that are whitelisted with Clair config file
Summary
The current implementation of Store container scanning results in the database doesn't distinguish whitelisted vulnerabilities from unapproved ones.
Steps to reproduce
- Setup Container Scanning on a test project that contains at least one vulnerability
- add a
clair-whitelist.ymlconfig file with some of these vulnerabilities - run a pipeline
Example Project
What is the current bug behavior?
Whitelisted vulnerabilities that are reported are stored in DB and listed in the Group Security Dashboard.
What is the expected correct behavior?
Whitelisted vulnerabilities that are reported are NOT stored in DB and thus doesn't show up in the Group Security Dashboard.
Possible fixes
Like we do in frontend when parsing the report artifacts directly, we should filter the vulnerabilities array to only keep CVE listed in unapproved array when parsing on ~backend.