Grype to only report OS findings in container-scanning
Why are we doing this work
We have an analyzer specific to report security findings for dependencies. If the container-scanning analyzer also reports findings in dependencies (e.g. python packages, rubygems), these might appear twice in the security report.
Until we have a better way of correlating/deduplicating findings across analyzers, each report should focus on its own area.
To this end, we need Grype to only report OS findings. The equivalent setting for Trivy is --vuln-type os
.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
-
backend modify lib/gitlab.grype.tpl
template to not add vulnerability when value of.Artifact.Language
is not empty:
{{ if ne .Artifact.Language "" -}}
... everything in range body ...
{{- end -}}
Edited by Sashi Kumar Kumaresan