Vulnerability Report does not display all tools in the dropdown filter
Summary
A user is not able to filter by a specific tool (Snyk - Dependency Scanning) in the vulnerability dashboard on the project level. In this scenario, the vendor Snyk has two analyzers: SAST and Dependency scanning. You can filter by the individual tools on the pipeline level but not on the project level because the Dependency Scanning tool is missing from the dropdown menu.
In this screenshot, you can see that you can filter by Dependency Scanning and the found vulnerabilities are listed with the appropriate tool column.
In the below screenshot, you can see that only SAST is available to filter by, and not Dependency Scanning despite being able to view the vulnerabilities here in the list.
Both reports appear to have the same scan:analyzer information:
sca file:
"scan": {
"analyzer": {
"id": "snyk",
"name": "Snyk",
"vendor": {
"name": "snyk"
},
"version": "1.1291.0"
},
"scanner": {
"id": "snyk",
"name": "Snyk",
"vendor": {
"name": "snyk"
},
"version": "1.1291.0"
},
"type": "dependency_scanning",
"start_time": "2024-10-04T19:52:57",
"end_time": "2024-10-04T19:52:57",
"status": "success"
},
sast file:
"scan": {
"analyzer": {
"id": "snyk",
"name": "Snyk",
"vendor": {
"name": "snyk"
},
"version": "1.1291.0"
},
"scanner": {
"id": "snyk",
"name": "Snyk",
"vendor": {
"name": "snyk"
},
"version": "1.1291.0"
},
"type": "sast",
"start_time": "2024-10-04T19:50:34",
"end_time": "2024-10-04T19:50:34",
"status": "success"
}Steps to reproduce
- Clone this repo for testing: https://github.com/appsecco/dvja
- Add the gl_snyk_sca.json and gl_snyk_sast.json files to the repository and push to main.
- Create a .gitlab-ci.yml file (see below)
- Wait for the vulnerability report to be populated with results.
- Attempt to filter in the vulnerability report by Selecting Tool
stages:
- test
snyk-sast:
stage: test
image: alpine
script:
- cat gl_snyk_sast.json
needs: []
artifacts:
when: always
reports:
sast: gl_snyk_sast.json
paths:
- gl_snyk_sast.json
snyk-sca:
stage: test
image: alpine
script:
- cat gl_snyk_sca.json
artifacts:
when: always
reports:
dependency_scanning: gl_snyk_sca.json
paths:
- gl_snyk_sca.jsonExample Project
An example project can be found here:
Team members can request access for investigation.
What is the current bug behavior?
In my example, the pipeline level shows that I can filter by Dependency Scanning and the tool shows Dependency Scanning - snyk. However, on the project level despite showing the Dependency Scanning vulnerabilities, I can't filter by the appropriate tool and only see Snyk under SAST.
What is the expected correct behavior?
If you have a single vendor with multiple tools, you should be able to see each of those tools.
Relevant logs and/or screenshots
Output of checks
This bug happens in GitLab 17.1.2 but was also replicated on GitLab.com 17.5.0-pre 94ec41a3957
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: \\\`sudo gitlab-rake gitlab:env:info\\\`) (For installations from source run and paste the output of: \\\`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\\\`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of: \`sudo gitlab-rake gitlab:check SANITIZE=true\`) (For installations from source run and paste the output of: \`sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true\`) (we will only investigate if the tests are passing)