Dismiss or mark vulnerabilities for OS packages not declared as dependencies
Release notes
Problem to solve
Container Scanning reports vulnerabilities for components that have been detected in Docker images, but some of them aren't used when running the Docker container, and they're not project dependencies.
When triaging vulnerabilities, users should be able to focus on vulnerabilities reported for OS packages that are project dependencies, because they're more likely to be a threat.
Proposal
To identify the OS packages the project depends on, we could either:
- Ingest a CycloneDX that lists them.
- Leverage the files used to build an OS package for the package, like Debian controls file.
-
Detect OS packages being used at run-time.Covered by Check if a vulnerable component is really used ... (#10046)
To help users focus on OS packages that are dependencies, we could either:
- Inform users in the vulnerability modal.
- Add a field that tells whether the affected OS package is a dependency.
- Show the path that connect the affected OS package to the project itself, if any.
- Automatically dismiss vulnerabilities that don't affect project dependencies.
Intended users
Feature Usage Metrics
/cc @thiagocsf @sam.white
Edited by Fabien Catteau