Allow to filter vulnerabilities by image name on the project dashboard - Backend

Main issue

This is the backend part for #215467 (closed)

Problem to solve

Improve UX when multiple images are reporting Container Scanning findings (or vulnerabilities when dashboard gets converted to standalone vulnerabilities)

Intended users

Further details

Proposal

1. Add a new docker_image column to the vulnerability_occurrences table

2. Migrate all existing entries in the vulnerability_occurrences table so they have a valid docker_image value.

   Decide if we should store the full registry URI of the image, or only the basename, for example, which of the following should be stored?

   • registry.gitlab.com/adamcohen/container-scanning-multi-image/alpine1-test-two-same-images
   • alpine1-test-two-same-images

   If we store the full registry URI, we can always truncate it in the UI, but if we don't store enough information from the beginning, it won't be possible to recreate it later on.

3. When a pipeline is run, store the Docker image name in the docker_image column of the vulnerability_occurrences table.

4. Add a new ProjectVulnerabilityFindingsActions endpoint, such as docker_images, to return the images related to a given project and pipeline.

5. Update ProjectVulnerabilityFindingsActions.index action to allow filtering based on docker_image value, so only vulnerabilities matching this image will be returned.

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references