Design & Spike - associate Dependency and Container Scanning results to reduce duplicates and noise
Release notes
Problem to solve
As a user I want to know if my application is secure and so I run security scans. When the results come back i want to quickly understand and be able to action them. I don't want to waste my time, and duplicate findings waste my time.
Currently, DS finds some container dependencies, not all, CS finds more container dependencies - but we don't currently de-duplicate across different categories, this creates some duplicates and noise. As a result we don't have CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN on by default - but we should figure out how to handle this best, and then it can be on by default to enable the most comprehensive coverage we can.
we do NOT want to de-duplicate but we want to group
https://about.gitlab.com/handbook/engineering/development/sec/secure/glossary-of-terms/
there may be many ways to accomplish this, evaluate and test one
one - group #267588 two - 1:many or many:many linking