Allow filtering of container scan findings where a fix will not be released
Problem to solve
Container scanners, like many security tools, aim to automatically identify as many potential security problems with scanned images. Software included in images may contain security vulnerabilities, and scanning for these vulnerabilities and reporting on them in GitLab has huge value for software developers and security teams as they can be managed all in one place, and issues for remediation created so packages or base images can be updated, or other mitigations put in place. However, in many cases the vendors of software components have performed their own analysis of software vulnerabilities and assess whether or not the software is vulnerable in their images, and if a security fix needs to be released. Often the result of this analysis is that a fix will not be released (designated WONTFIX
). In these cases, the findings are still reported by container scanners, however the component is not vulnerable and there is no action required by software development teams, as no fix will be released which they would otherwise need to incorporate into their images.
Currently, by default, GitLab reports on container scan findings which either have not yet been fixed, will never be fixed, or have fixes available. We provide CS_IGNORE_UNFIXED
to allow filtering unfixed results out of reports, however this has the downside of also filtering out findings which have not been fixed yet or are still being analyzed by vendors for impact, which may be fixed in the short term. This is in contrast to findings which have already been analysed and found to be non-impactful, not exploitable, or out of support scope.
As information about fix availability and these determinations is released as part of security advisory data, our two default container scanners (Trivy and Grype) ingest this information and store it in their vulnerability databases. This puts us in a position to be able to filter these non-actionable findings out of vulnerability reports saving a lot of effort for security teams and software developers triaging and reporting on findings they can't (and don't need to) address. GitLab should have a way to filter only findings which will not be fixed.
Proposal
A new container scanning setting, CS_IGNORE_STATUSES
should be introduced, which only filters findings which are out of scope (i.e. end of life operating systems), or where the software vendor as marked a vulnerability as not affected or as will not be fixed. Findings which are still under analysis, unknown or otherwise fixed or unfixed should still be reported.
Currently, as of v4.4.0, Trivy supports the flags required to filter on these statuses. I have also opened a GitHub PR against Grype to add similar functionality for filtering WONTFIX
findings. The CS_IGNORE_STATUSES
flag should configure compatible scanners to filter our findings where a fix will not be released due to a component not being affected, being end of life, or otherwise designated WONTFIX
.
Intended users
Personas are described at https://about.gitlab.com/handbook/product/personas/
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.