Projects without Container Scanning Vulnerabilities do not show up as Grade A in Group Security Dashboard
Summary
We recently introduced Gitlab Container Scanning to lots of our projects. We also use the Group Security Dashboard to get a general overview of our project's security ratings.
We noticed, that when introducing container scanning to a new project, and this project does not have any vulnerabilities, the project will not show up as 'Grade A' in the Group Security Dashboard. Other projects that contain vulnerabilities however show up.
Steps to reproduce
- create a new project inside a group
- add container scanning CI step, which scans a project without vulnerabilities
- check the Group Security Dashboard, it will not show the newly scanned project as 'Grade A'
Example Project
We are using self-hosted Gitlab 13.6.1-ee (a0e59de39b3)
, so we can not provide a sample project. Feel free to look at the screenshots below.
What is the current bug behavior?
Projects where container scanning is introduced and no vulnerabilities were found, do not show up as 'Grade A' in the Group Security Dashboard.
What is the expected correct behavior?
Projects where container scanning is introduced and no vulnerabilities were found, show up as 'Grade A' in the Group Security Dashboard.
Relevant logs and/or screenshots
- Pipeline run, including container scanning job, on projects default branch:
- Result of container scanning job log:
[INFO] [klar] [2020-11-27T13:55:00Z] ▶ Clair API started successfully.
[INFO] [klar] [2020-11-27T13:55:00Z] ▶ Scanning container from registry 'REDACTED' for vulnerabilities with severity level 'Critical' or higher with klar '2.4.0' and clair 'v2.1.4'
[INFO] [klar] [2020-11-27T13:55:06Z] ▶ Shutting down Clair server with PID: 26
[INFO] [klar] [2020-11-27T13:55:06Z] ▶ Clair server shut down successfully
[INFO] [klar] [2020-11-27T13:55:06Z] ▶ Found Dockerfile with path: 'Dockerfile', using for remediations.
[INFO] [klar] [2020-11-27T13:55:06Z] ▶ Image [REDACTED] contains NO unapproved vulnerabilities
Uploading artifacts for successful job
00:01
Uploading artifacts...
gl-container-scanning-report.json: found 1 matching files and directories
Uploading artifacts as "container_scanning" to coordinator... ok id=2592995 responseStatus=201
Cleaning up file based variables
00:01
Job succeeded
- Projects Vulnerability Report shows no vulnerabilities, as expected
- Related Group Security Dashboard does not show the project as 'Grade A', which would be expected
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
GitLab information Version: 13.6.1-ee Revision: a0e59de39b3 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 11.8
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)