Skip to content

Fix SBOM last updated time of SBOM report on dependency list page and development vulnerabilities tab

Summary

When a container scan for a registry job is executed, the SBOM's last updated time is recorded as the scan time. We have a separate tab for registry-related vulnerabilities, and registry dependencies are not displayed on the dependency list page, hence the last updated time should reflect the SBOM used to generate the list, specifically the pipeline run by the project configuration.

What is the current bug behavior?

  1. On Vulnerability report page it shows SBOM last updated as the time of CS for registry job, eg: 1
  2. On Dependencies page it shows SBOM last updated as the time of CS for registry job, eg: 1

What is the expected correct behavior?

On both the pages SBOM last updated should be the time of configured project pipeline via gitlab-ci.yml.

Possible fixes

Filter out container scanning for registry related pipeline from API returning last updated time.