Vulnerability Report fails to update if scanner exit code is not 0

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

In version 14.8.2 (and possibly others), if a container scanning tool running in the CI pipeline outputs vulnerabilities in the JSON report format, but returns a non-zero exit code, Gitlab interprets this as a tool failure and ignores the valid vulnerability report. It will not import the results into the security dashboard.

A non-zero exit code from the CI tool will result in a yellow exclamation icon shown in the pipeline UI. This is useful for end users in understanding that security issues were found, but unfortunately it also means that the vuln data won't make it into the security dashboard. The only way to get this data imported is to return a zero exit code, which results in a misleading green checkmark in the UI (end users interpret this as meaning no vulnerabilities were found).

Steps to reproduce

  • Run custom scan that produces compatible json report and exit with non zero status

Sample gitlab-ci.yml

stages:
  - scan
docker-build:
  stage: scan
  image: 
    name: alpine:latest
    entrypoint: ["/bin/sh", "-c"]
  script:  mv twistlock_result.json gl_container_scanning.json && exit 1
  artifacts:
    reports:
      container_scanning: gl_container_scanning.json
    paths:
      - gl_container_scanning.json
    expire_in: 2 hours
    when: always

See this ticket (internal only)

Example Project

Link (internal only)

What is the current bug behavior?

Vulnerability dashboard is not updated

What is the expected correct behavior?

Vulnerability dashboard should updated regardless of scan return code as long as artifacts are uploaded and vulnerabilities are found

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by 🤖 GitLab Bot 🤖