Security MR widget shows incorrect image name when `CS_DEFAULT_BRANCH_IMAGE` is set

Summary

In Container Scanning(CS) when CS_IMAGE and CS_DEFAULT_BRANCH_IMAGE are configured, in the MR's vulnerability(vuln) widget, the finding location references the CS_DEFAULT_BRANCH_IMAGE when it should reference the CS_IMAGE since it is where the vuln is detected.

Context of how CS_DEFAULT_BRANCH_IMAGE logic works

Steps to reproduce

  1. Start a CS with CS_IMAGE=peerflix-alpine:latest for the default branch ie main
  2. Dismiss all vulnerabilities
  3. Create an MR with CS_IMAGE=latex-alpine:latest and CS_DEFAULT_BRANCH_IMAGE=peerflix-alpine:latest
    1. Note that in the vuln widget, vuln location is peerflix-alpine:latest when it was actually detected in latex-alpine:latest
  4. Created another MR with CS_IMAGE=latex-alpine:latest and CS_DEFAULT_BRANCH_IMAGE is not set.
    1. Note that in the vuln widget, vuln location is latex-alpine:latest which is where the vuln is actually detected.

Example Project

https://gitlab.com/gitlab-org/secure/tests/smtan-subgroup/test-cs-default-branch-image

What is the current bug behavior?

MR's vuln widget is displaying vuln location as CS_DEFAULT_BRANCH_IMAGE

What is the expected correct behavior?

MR's vuln widget should display vuln location as CS_IMAGE

Relevant logs and/or screenshots

Screenshot taken from the example project's MR

  • CS_IMAGE=latex-alpine
  • CS_DEFAULT_BRANCH_IMAGE=peerflix-alpine
  • Currently vuln image location is peerflix-alpine
  • Expected vuln image location to be latex-alpine

Screenshot 2024-05-28 at 5.06.19 PM.png

Possible fixes

Referenced from this comment:

I think the issue is when we construct the finding_name in Gitlab::Ci::Parsers::Security::Common where location.fingerprint_path in Gitlab::Ci::Reports::Security::Locations::ContainerScanning uses default_branch_image. We can fix this by taking the image instead of default_branch_image when constructing finding_name for container scanning reports. 🤔