Container Scanning CycloneDX reports are not ingested as schema v1.5 is not supported
Summary
Recently we upgraged to Trivy 0.43.1 in our Container Scanning tool, but in version 0.43 Trivy added support to CycloneDX schema v1.5
. Our Rails backend digest CycloneDX reports only with version 1.4.
Because of that Container Scanning CycloneDX reports are not ingested in GitLab database and information from those reports are not displayed in Group Dependency List.
Steps to reproduce
- Inside a group create a new project.
- Add next
.gitlab-ci.yml
config:
variables:
CS_IMAGE: 'golang:1.20-alpine'
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
- Run pipeline
- Ensure that the
container_scanning
job has generated an artifact. - Go to Group Dependency List
Example Project
https://gitlab.com/groups/gitlab-org/secure/tests/tetiana-tests-subgroup/-/dependencies
What is the current bug behavior?
Group Dependency List is empty
What is the expected correct behavior?
Group Dependency List shows component from a generated report.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Possible fixes
Update the report in the analyzer after trivy has generated it
- change the
specVersion
to1.4
- change the
$schema
tohttp://cyclonedx.org/schema/bom-1.4.schema.json
Workarounds
Use previous non-affected version of the analyzer:
container_scanning:
variables:
CS_ANALYZER_IMAGE: "registry.gitlab.com/security-products/container-scanning:6.2.2"
Edited by Igor Frenkel