Check if value in CS_DEFAULT_BRANCH_IMAGE is valid

Why are we doing this work

As a part of &5577 (closed) CS_DEFAULT_BRANCH_IMAGE will be introduced to de-duplicate findings. For the first iteration, we decided not to validate the value set in CS_DEFAULT_BRANCH_IMAGE. This might cause problems when the image set is invalid and does not exist in already reported findings. This issue will address the validation of CS_DEFAULT_BRANCH_IMAGE by checking vulnerability_reads table if the image already exists in location_image field.

Relevant links

• Epic

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

diff --git a/ee/lib/gitlab/ci/parsers/security/container_scanning.rb b/ee/lib/gitlab/ci/parsers/security/container_scanning.rb
@@ -5,6 +5,8 @@ module Ci
     module Parsers
       module Security
         class ContainerScanning < Common
+          include Gitlab::Utils::StrongMemoize
+
           private

           def create_location(location_data)
@@ -20,7 +22,18 @@ def create_location(location_data)
           def default_branch_image(location_data)
             return if @report.pipeline.default_branch?

-            location_data['default_branch_image']
+            default_branch_image = location_data['default_branch_image']
+            return unless default_branch_vulnerability(default_branch_image)
+
+            default_branch_image
+          end
+
+          def default_branch_vulnerability(default_branch_image)
+            strong_memoize do
+              ::Vulnerabilities::Read.find_by(project_id: report.project_id,
+                                              report_type: report.type,
+                                              location_image: default_branch_image)
+            end
           end
         end
       end