CVE ID no longer display in container scanning analyzer table output
Summary
We document the container scanning job log format, which shows the CVE ID and Severity both displayed in the CVE SEVERITY
table column.
A customer has recently engaged support asking why the CVE ID doesn't display in the CVE SEVERITY
table column. Support has been able to reproduce this behaviour in their own container scanning jobs. I can also see that the container scanning jobs in the container-scanning
analyzer project itself doesn't contain the CVE ID in the CVE SEVERITY
column.
https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/jobs/5226400952
It seems like the table output does concatenate two different variables for the CVE SEVERITY
table column, however only one displays:
https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/blob/61ce7087f184600b8953c756f2a9836fb025cde9/lib/gcs/util.rb#L48
Steps to reproduce
- Complete GitLab tutorial to execute container scan
- Review the container scanning job log and the table output
Example Project
https://gitlab.com/tmike_ultimate_group/zd456603/zd456603/-/jobs/5225967893
behavior, and link to it here in the bug report. If you are using an older version of GitLab, this will also determine whether the bug is fixed in a more recent version. -->
What is the current bug behavior?
CVE ID does not display in the CVE SEVERITY
table column.
What is the expected correct behavior?
CVE ID displays in the CVE SEVERITY
table column.
Bug explanation
The reason for this bug is explained here
Implementation plan
-
Update Gcs::Util.write_table to fetch the CVE value from the identifiers
field, similar to how this was done in Fix broken allowlist caused by update to schema... (gitlab-org/security-products/analyzers/container-scanning!2862 - merged), for example:cve = vuln['identifiers'].find { |identifier| identifier['type'].casecmp("cve").zero? }&.dig('value')
-
Update unit tests to ensure the CVE information is included in the table output