Vulnerability dashboard does not aggregate security scanning results from child pipelines

Summary

The Vulnerability Dashboard to view vulnerabilities for the most recent pipeline does not aggregate scan results from two pipelines sources (i.e. child pipelines or multiple container scanning jobs). This completely breaks vulnerability reporting with the Activity filter's automatic vulnerability detection system.

Steps to reproduce

Fork this pipeline and run it if you have the vulnerability dashboard available to you. It uses sample images (randomly grabbed) to produce vulnerabilities from two source images. https://gitlab.com/kotlab/cs-vulnerability-dashboard-example

What is the current bug behavior?

The vulnerability dashboard uses a last in wins when it comes to newly detected or no longer detected vulnerabilities. Eventually all sources lose. Vulnerabilities that do actually exist for container images show up as no longer detected in the activity filter.

Child pipeline vulnerabilities do not show up in the parent pipeline's security tab on the pipeline view page, either. (Possibly related)

All of the vulnerabilities do show up on the project vulnerability report on the project page, but our security team can't make heads or tails on whether vulnerabilities are still present or not.

What is the expected correct behavior?

Each container source would be tracked separately. (At least for child pipelines)

Relevant logs and/or screenshots

(Omitting details to protect customer privacy)

Output of checks

This bug happens on GitLab.com This bug happens on Self-Hosted instances

Possible fixes

Modify the code that selects the list of vulnerabilities to mark as resolved_on_default_branch so that it doesn't compare against all jobs run by the same type of scanner.

Implementation Plan

• Create a feature flag to toggle new/old behavior #417486 (closed)
• Fetch security scans for root pipeline and descendant pipelines (use feature flag). source