Image IDs not in log of SAST, Dependency Scanning
Summary
The output of the sast
and dependency_scanning
jobs only gives the SHA256 of the images, not the IDs.
Since the Container Registry page only gives the image IDs, it's difficult to know which image has been used. This applies to SAST, Dependency Scanning (DS) and their analyzers.
Steps to reproduce
Set up a project with a dependency_scanning
job and trigger a pipeline. The log contains the sha256
of the images used to scan the project but not the image IDs.
Example Project
https://gitlab.com/gitlab-org/security-products/tests/java-maven/-/jobs/229575137
This project was scanned with registry.gitlab.com/gitlab-org/security-products/dependency-scanning:12-0-stable
and sha256 is 997bd5103eef768bdebe11e7a2b930dbed287712f4db68d9beb0963e750d0f17
. But on the Container Registry page the Tag ID column gives 7685f3b5c
. This can be resolved using the command line:
$ docker pull registry.gitlab.com/gitlab-org/security-products/dependency-scanning:12-0-stable
12-0-stable: Pulling from gitlab-org/security-products/dependency-scanning
Digest: sha256:997bd5103eef768bdebe11e7a2b930dbed287712f4db68d9beb0963e750d0f17
Status: Image is up to date for registry.gitlab.com/gitlab-org/security-products/dependency-scanning:12-0-stable
$ docker images registry.gitlab.com/gitlab-org/security-products/dependency-scanning:12-0-stable
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.gitlab.com/gitlab-org/security-products/dependency-scanning 12-0-stable 7685f3b5c162 7 days ago 11.7MB
Same goes for the Gemnasium Maven analyzer used during the scan. Here's what the log tell us:
Digest: sha256:2222a699d43cee0a16a771b2e77cdb0160bc49b2346821b80d0ad194163cb472
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven:set-maven-home
But on the Container Registry page of the gemnasium-maven project, the Tag ID is bd2ac78ca
.
What is the current bug behavior?
Job log contains no image ID. The refs contained in the log has no match on the Container Registry page of Dependency Scanning and its analyzers.
What is the expected correct behavior?
Job log contains image IDs.
Possible fixes
We can improve the common/orchestrator in order to add the image id (Tag ID) to the log.
That being said, the problem will vanish when getting rid of the Docker-in-Docker requirement, see &971 (closed). Proof: the log of the license-management
already contains a reference that matches the Container Registry, and this job doesn't use DinD.