Security report shows findings in pipeline security tab but vulnerabilities are not created

Summary

A customer reported (internal link) an issue with Container Scanning security reports where GitLab 14.9.5 and above show inconsistent results.

1. The Scan details in the pipeline security tab shows 0 vulnerabilities for Container Scanning
2. The same page shows findings, even though the count above is 0
3. When run in the default branch, the findings do not create vulnerabilities (i.e. the results from the pipeline security tab do not show in the vulnerability report)

Steps to reproduce

1. Create an empty project
2. Create this .gitlab-ci.yml file:

   cs:
     script: exit 0
     artifacts:
       reports:
         container_scanning: cs.json

3. Download cs.json (internal link), commit along with the CI configuration above, and push to the repository.
4. Run a pipeline.
5. Once the pipeline finishes, go to the pipeline security tab.
6. Observe results on the pipeline while the scan details shows a count of 0.
7. Go to the vulnerability report. Observe that the results seen in the pipeline security tab are not present.

Example Project

This bug was reproduced in https://gitlab.com/gitlab-org/secure/tests/test-for-zd-293783-p2/ (internal link)

What is the current bug behavior?

Pipeline security tab shows a count of 0 vulnerabilities in Scan Details, but 39 findings in the report list. These findings are not ingested to create vulnerabilities.

What is the expected correct behavior?

1. The number of results in the pipeline security report list matches the count in scan details.
2. All findings displayed in the pipeline security report are ingested (for a job that runs on the default branch)

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

It seems that this is caused by the absence of the cve field in reports. I've done a minimal example:

• With cve: https://gitlab.com/gitlab-org/secure/tests/test-for-zd-293783-p2/-/pipelines/593992637/security
• Without cve: https://gitlab.com/gitlab-org/secure/tests/test-for-zd-293783-p2/-/pipelines/593991950/security

Note that without cve, the page renders 1 finding but the scan details says 0. I haven't tested, but I assume that if run in the default branch, this finding will not be ingested. For the link with cve, the results match and did get ingested, creating a vulnerability that shows in the project report.