Dismiss or mark vulnerabilities for OS packages not declared as dependencies

Release notes

Problem to solve

Container Scanning reports vulnerabilities for components that have been detected in Docker images, but some of them aren't used when running the Docker container, and they're not project dependencies.

When triaging vulnerabilities, users should be able to focus on vulnerabilities reported for OS packages that are project dependencies, because they're more likely to be a threat.

Proposal

To identify the OS packages the project depends on, we could either:

Ingest a CycloneDX that lists them.
Leverage the files used to build an OS package for the package, like Debian controls file.
~~Detect OS packages being used at run-time.~~ Covered by Check if a vulnerable component is really used ... (#10046 - closed)

To help users focus on OS packages that are dependencies, we could either:

Inform users in the vulnerability modal.
- Add a field that tells whether the affected OS package is a dependency.
- Show the path that connect the affected OS package to the project itself, if any.
- Automatically dismiss vulnerabilities that don't affect project dependencies.

Intended users

Feature Usage Metrics

/cc @thiagocsf @sam.white

Edited Jul 28, 2022 by Fabien Catteau