Container scanning mechanism of detecting fixed and new vulnerabilities is broken
Summary
Container scanning doesn't correctly define now many vulnerabilities were introduced in the MR.
Steps to reproduce
- Go to a project with set up Container scanning job and existing vulnerabilities (easiest way is to set up Auto DevOps for this)
- Create an MR that introduces changes unrelated to containers (like add additional whitespace in some file)
- Wait till pipeline is finished
- Observe Container scanning widget
Example Project
gitlab-org/creator-pairing/rails-app!4 (closed)
What is the current bug behavior?
Container scanning detected that n vulnerabilities were fixed and n vulnerabilities were introduced.
What is the expected correct behavior?
Container scanning detected no new vulnerabilities
Relevant logs and/or screenshots
gitlab-org/creator-pairing/rails-app!4 (closed)
Output of checks
This bug happens on GitLab.com
Possible fixes
Possible problem: location fingerprint for Container scanning
/cc @gonzoyumo