Skip to content

Dependency Scanning using SBOM reports less findings than Gemnasium

Summary

When dogfooding the new Dependency Scanning using SBOM on an internal project we've discovered discrepancy in results provided by the two approaches.

It seems that Dependency Scanning using SBOM is not showing up as many vulnerabilities in the pipeline security tab.

In the considered project, there are multiple SBOM reports generated from different package managers and we can only see vulnerabilties reported for one of them.

Update: Different from SBOM ingestion, CVS on SBOM changes, and license scanning, the security report builder fetches the CycloneDX artifact into a single SBOM report. As a result, all components are bundled into one report containing a single metadata section.

Steps to reproduce

  1. Create a project with the following files:

gl-sbom-gem-bundler.cdx.json

gl-sbom-npm-yarn.cdx.json

gl-sbom-pypi-pipenv.cdx.json

.gitlab-ci.yml:

cyclonedx-reports:
  script:
    - echo "test"
  artifacts:
    access: 'developer'
    paths:
      - "**/gl-sbom-*.cdx.json"
    reports:
      cyclonedx: "**/gl-sbom-*.cdx.json"
  1. Run a new pipeline and the each security finding should be based to its respective metadata

Example Project

What is the current bug behavior?

Screenshot_2025-02-24_at_19.12.46

What is the expected correct behavior?

Screenshot_2025-02-25_at_18.43.51

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Implementation plan

This MR splits the cyclonedx artifact into multiple sbom reports, ensuring that components are kept within their respective set of metadata and source information. This issue occurs only when multiple cyclonedx artifacts with different purl types are present within a single job.

Edited by Zamir Martins