OCS not able to resolve non existing vulnerabilities

Summary

We see following error in the gitlab-agent pods after scanning, and "Some vulnerabilities failed to create, skipping vulnerability resolution", which is leading to avoid resolution of vulnerabilities no more detected.

{
  "time": "2025-04-15T09:21:15.693647324Z",
  "level": "ERROR",
  "msg": "Error running Trivy scan",
  "mod_name": "starboard_vulnerability",
  "agent_id": 6,
  "error": "error transmitting vulnerability reports: unexpected status code: 400\\nunexpected status code: 400\\nunexpected status code: 400\\nunexpected status code: 400\\nunexpected status code: 400\\nunexpected status code: 400\\nunexpected status code: 400\\nunexpected status code: 400"
}

The error evaluates to:

error transmitting vulnerability reports: unexpected status code: 400
unexpected status code: 400
unexpected status code: 400
unexpected status code: 400
unexpected status code: 400
unexpected status code: 400
unexpected status code: 400
unexpected status code: 400

In gitlab-org/cluster-integration/gitlab-agent!1854 (merged), the scanner was changed to avoid resolving any vulnerabilities if an error was encountered.

However I don't see "OCS scanning Pod Failed" error after any namespace scan. No error in any of the trivy-scanning-* pod logs as well.

The comment in reporter.Transmit mentions that any error encountered when transmitting or creating a vulnerability should skip vulnerability resolution.

Root Cause Analysis

See #536190 (comment 2493495380).

Solution

Work in progress.

Edited May 12, 2025 by Oscar Tovar