Add system dependencies found by Container scanning to Dependency list
DUPLICATE OF &6698 (closed)
Release notes
Problem to solve
As a developer addressing vulnerabilities reported by Container Scanning, I want these vulnerabilities to be grouped by affected components, so that I can efficiently take action and spot components that need to be upgraded or removed.
Further details
This issue proposal is a result of dog fooding Secure features by groupcomposition analysis team.
Container scanning (CS) tool finds vulnerabilities in system project dependencies. When triaging such vulnerabilities it would be nice to have some visualization and some vulnerability-specific info as we have for application dependencies reported by Dependency Scanning (Dependency list feature). If we can add an additional layer of data to the Dependency list with CS dependencies it improves the user experience of triaging CS vulnerabilities.
It's useful when similar vulnerabilities are found in different dependencies like here but it's clear that those dependencies are linked together and maybe they are transient dependencies and all of them can be fixed with one line of change.
Prior art
-
Trivy template for
dependency_scanning
. - Proof-of-concept MR for the template above.
- Example project using a report generated by the PoC above.
Proposal
Add the components scanned by Container Scanning to the dependency list so that they can be efficiently reviewed along with the vulnerabilities affecting them, similar to the components scanned by Dependency Scanning.
Currently Container Scanning scans OS-level dependencies (OS packages) whereas Dependency Scanning scans application-level dependencies (application packages).