Allowlist CVE in generalallowlist ignored if no value assigned to key

Summary

In the vulnerability-allowlist.yml, if there is no value assigned to the CVE key in the generalallowlist, the CVE won't be included in the allow list.

Accords to the docs, this value is optional and not required: https://docs.gitlab.com/ee/user/application_security/container_scanning/#file-format

The string after CVE ID (cups and libxml2 in the previous example) is an optional comment format. It has no impact on the handling of vulnerabilities. You can include comments to describe the vulnerability.

However, it appears it is required by the included_in_general? function. If there is no key value present, it will return false for allowed: https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/blob/9859925c31386fa34aaa1f05632368b3b9dd7f16/ee/lib/gcs/allow_list.rb#L31

https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/blob/9859925c31386fa34aaa1f05632368b3b9dd7f16/lib/gcs/util.rb#L43

Steps to reproduce

Using example project: https://gitlab.com/gitlab-gold/tmike/zd311075/zd311075-1/zd311075-1

  1. Create new Project on SaaS
  2. Create an vulnerability-allowlist.yml with a CVE in it (note: must be a vulnerability that will show in scan of container):
generalallowlist:
  CVE-2022-2097:
  1. Create CI/CD yaml file on SaaS (you must have container in registry):
include:
- template: Security/Container-Scanning.gitlab-ci.yml


container_scanning:
variables:
  GIT_STRATEGY: fetch
  DOCKER_IMAGE: "image.to.scan:tag"
allow_failure: true
  1. Run pipeline
  2. Change the vulnerability-allowlist.yml to have a value for the CVE key:
generalallowlist:
  CVE-2022-2097: hi
  1. Run pipeline

What is the current bug behavior?

Step 4: CVE is not allowed, it shows in the table as "Unapproved", and is included in the artifact gl-container-scanning-report.json.

Step 6: CVE is allowed, it shows in the table as "Approved", and is not included in the artifact gl-container-scanning-report.json.

What is the expected correct behavior?

Step 4: CVE is allowed, it shows in the table as "Approved", and is not included in the artifact gl-container-scanning-report.json.

Step 6: CVE is allowed, it shows in the table as "Approved", and is not included in the artifact gl-container-scanning-report.json.

Relevant logs and/or screenshots

Edited by Michael Trainor