When creating issues from the Security Dashboard create separate issues for unrelated findings
Summary
Update: #214817 (comment 326636506) explains the behavior described in this issue and comes to the conclusion that it is a known limitation.
To avoid that other users run into this issue, I propose to update our 3rd party scanner integration docs (these are the docs I followed when I ran into this issue). There should be a section listing the limitations of our Container Scanning implementation. The limitations are:
- Container Scanning supports scanning at most 1 image per pipeline.
- Container Scanning does not support multiple scanners in the same project (or even group/instance?).
Note that these limitations are changing as we implement new features such as #205489 (closed).
I leave the original issue description below for reference. Understanding the direction from which I initially encountered this issue might be helpful for improving the docs.
Multiple, unrelated findings are linked to the same issue when clicking the Create Issue button in the security dashboard. This seems to happen for findings that share the same title, despite the findings' locations being different (see screenshot below).
This behavior should be changed so that separate issues can be created for unique findings. Since these findings were made in different locations, they will typically need different correcting actions; hence creating separate issues would make sense.
The dismiss logic suffers from the same problem #214817 (comment 326351043)
Follow-up issue from https://gitlab.com/gitlab-com/gl-security/engineering/-/issues/905#note_326222265
Steps to reproduce
- Have a pipeline create a report that contains two findings with the same title, but different locations. Example report: gl-container-scanning-report.json
- Open the security dashboard showing the report from the previous step.
- Create an issue for one of the findings. Note that the other finding for which you did not create an issue will also be linked to the same issue.
Example Project
https://gitlab.com/gitlab-com/gl-security/appsec/container-scanners/-/security/dashboard/
What is the current bug behavior?
Multiple, unrelated findings are linked to the same issue when clicking Create Issue.
What is the expected correct behavior?
A separate issue can be created for each unique finding.
Relevant logs and/or screenshots
Note that all findings share the same title and link to the same issue, but were found in different docker images.
Output of checks
This bug happens on GitLab.com