Skip to content

GitLab

Projects Groups Snippets

/

Help
Sign in / Register

GitLab
Project information
- Project information
- Activity
- Labels
- Members
Repository
- Repository
- Files
- Commits
- Branches
- Tags
- Contributors
- Graph
- Compare
- Locked Files
Issues 44,761
- Issues 44,761
- List
- Boards
- Service Desk
- Milestones
- Iterations
- Requirements
Merge requests 1,332
- Merge requests 1,332
CI/CD
- CI/CD
- Pipelines
- Jobs
- Schedules
- Test Cases
Deployments
- Deployments
- Environments
- Releases
Packages and registries
- Packages and registries
- Package Registry
- Container Registry
- Infrastructure Registry
Monitor
- Monitor
- Metrics
- Incidents
Analytics
- Analytics
- Value stream
- CI/CD
- Code review
- Insights
- Issue
- Repository
Snippets
- Snippets
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards

Collapse sidebar

GitLab.org
GitLab
Issues
#338877

Closed

Open

Issue created Aug 19, 2021 by Sashi Kumar Kumaresan @sashi_kumarDeveloper3 of 10 checklist items completed3/10 checklist items

Use default_branch_image from JSON report to fingerprint location

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Why are we doing this work

Currently users who run container scanning in a branch will see a duplicate of the findings that appear in the default branch instead of just findings that are newly introduced by that branch. We want to avoid duplicate findings for branches that are already present in default branch. In order to achieve it, a new CI/CD variable CS_DEFAULT_BRANCH_IMAGE will be used by the user to set the image which will be used to de-duplicate similar findings for the branch. The value set in this variable will be sent to GitLab Rails from gcs through the report JSON (gl-container-scanning-report.json).

This issue will address updating Gitlab::Ci::Parsers::Security::ContainerScanning to read the default_branch_image value from location object in JSON report. Gitlab::Ci::Reports::Security::Locations::ContainerScanning will be updated to use default_branch_image to fingerprint the location.

Requirements

The default_branch_image should be used to fingerprint the location only if the job runs for non-default branch pipeline.
For the initial iteration, we will not verify if default_branch_image is a valid image.
CS_DEFAULT_BRANCH_IMAGE value should not be changed once it is set, changing so would not work the way it is expected.

PoC MR could be used as a reference.

Relevant links

Epic
Spike

Non-functional requirements

Documentation:
- Add CS_DEFAULT_BRANCH_IMAGE to doc/user/application_security/container_scanning/index.md
- Mention that the variable should not be updated once it is set. If it is changed the feature will not work as expected.
- Since the value set in CS_DEFAULT_BRANCH_IMAGE will not be validated, it should be mentioned that the user should follow a proper naming convention for CS_DEFAULT_BRANCH_IMAGE Preferable values are:
  - $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:latest
  - $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:CI_DEFAULT_BRANCH
[-] Feature flag:
[-] Performance:
Testing:
- Test if setting CS_DEFAULT_BRANCH_IMAGE for an existing project with duplicate vulnerabilities does not create new duplicate vulnerabilities

Implementation plan

backend Introduce new feature flag improved_container_scan_matching - #344534 (closed)
backend Introduce a new parameter is_default_branch to Gitlab::Ci::Parsers::Security::Common to denote if the job runs on default branch
backend Update Gitlab::Ci::Parsers::Security::ContainerScanning to read the default_branch_image value from location object in JSON report if is_default_branch is false
backend Update Gitlab::Ci::Reports::Security::Locations::ContainerScanning to use default_branch_image to fingerprint the location.

Edited Nov 02, 2021 by Brian Williams

Assignee

Assign to

Time tracking