Use default_branch_image from JSON report to fingerprint location

Why are we doing this work

Currently users who run container scanning in a branch will see a duplicate of the findings that appear in the default branch instead of just findings that are newly introduced by that branch. We want to avoid duplicate findings for branches that are already present in default branch. In order to achieve it, a new CI/CD variable CS_DEFAULT_BRANCH_IMAGE will be used by the user to set the image which will be used to de-duplicate similar findings for the branch. The value set in this variable will be sent to GitLab Rails from gcs through the report JSON (gl-container-scanning-report.json).

This issue will address updating Gitlab::Ci::Parsers::Security::ContainerScanning to read the default_branch_image value from location object in JSON report. Gitlab::Ci::Reports::Security::Locations::ContainerScanning will be updated to use default_branch_image to fingerprint the location.

Requirements

• The default_branch_image should be used to fingerprint the location only if the job runs for non-default branch pipeline.
• For the initial iteration, we will not verify if default_branch_image is a valid image.
• CS_DEFAULT_BRANCH_IMAGE value should not be changed once it is set, changing so would not work the way it is expected.

PoC MR could be used as a reference.

Relevant links

• Epic
• Spike

Non-functional requirements

• Documentation:
  • Add CS_DEFAULT_BRANCH_IMAGE to doc/user/application_security/container_scanning/index.md
  • Mention that the variable should not be updated once it is set. If it is changed the feature will not work as expected.
  • Since the value set in CS_DEFAULT_BRANCH_IMAGE will not be validated, it should be mentioned that the user should follow a proper naming convention for CS_DEFAULT_BRANCH_IMAGE Preferable values are:
    • $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:latest
    • $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:CI_DEFAULT_BRANCH
• [-] Feature flag:
• [-] Performance:
• Testing:
  • Test if setting CS_DEFAULT_BRANCH_IMAGE for an existing project with duplicate vulnerabilities does not create new duplicate vulnerabilities

Implementation plan

• backend Introduce new feature flag improved_container_scan_matching - #344534 (closed)
• backend Introduce a new parameter is_default_branch to Gitlab::Ci::Parsers::Security::Common to denote if the job runs on default branch
• backend Update Gitlab::Ci::Parsers::Security::ContainerScanning to read the default_branch_image value from location object in JSON report if is_default_branch is false
• backend Update Gitlab::Ci::Reports::Security::Locations::ContainerScanning to use default_branch_image to fingerprint the location.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.