Container scanning for multiple images produces incorrect vulnerability list

Summary

Container scanning multiple images in parallel, as described in #208758 (closed) and https://gitlab.com/adamcohen/container-scanning-multi-image, produces an invalid vulnerability list.
In this list, all vulnerabilities from all containers are marked as No longer detected.

Some time ago all vulnerabilities from all the scanning jobs were merged into the unreadable list of unfixed vulnerabilities.

Steps to reproduce

  1. Fork https://gitlab.com/adamcohen/container-scanning-multi-image.
  2. Make sure your namespace has Ultimate capabilities and is public.
  3. Run a new pipeline to build containers and execute container scanning jobs with gitlab-ci.

Example Project

https://gitlab.com/vito-foss/container-scanning-multi-image

What is the current bug behavior?

All vulnerabilities in the Security and Compliance -> Vulnerability report are marked as remediated.

What is the expected correct behavior?

Not remediated vulnerabilities in the list should be displayed as Still detected.
Remediated vulnerabilities in the list should be displayed as No longer detected.

Relevant logs and/or screenshots

  1. Still detected list is empty.
    Screenshot with the list of detected vulnerabilities
  2. No longer detected list contains all vulnerabilities.
    Screenshot with the list of fixed vulnerabilities

Output of checks

This bug happens on GitLab.com

Possible fixes

Edited by Vito