Grype container scan not returning vulnerabilities for webgoat image since 2023-03-12
Summary
Grype container scan is not generating a valid vulnerability report for the distroless and webgoat integration test.
This was discovered after the daily release pipeline started failing on 12 March 2023 for the 5.2.7
container-scanning release.
Steps to reproduce
- Run the grype container scanning image built on 12 March 2023.
docker run --rm -it registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning/tmp/grype:ca8d61ba0fc6184fca46e2865d49eca01a9900ee bash
- Run a container scan for the webgoat image
gtcs scan registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0\@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e
- View the generated report
cat gl-container-scanning-report.json
- The
vulnerabilities
key should be empty when it's supposed to be populated.
Example Project
What is the current bug behavior?
What is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)