Dependency List missing vulnerabilities for duplicate dependencies across projects in same group

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

• I searched GitLab.com for issues with similar dependency list vulnerability bugs. Found a similar/related issue #348489 (closed), but none matching this specific scenario, where vulnerabilities don't appear in the dependency list for the second project with the same vulnerable dependency under the same group.

Summary

Vulnerabilities are not showing on the Dependency List page for the second project when the same vulnerable dependency exists in multiple projects under the same group.

• Related to issue #568028 (closed)
• Customer reported via ZD 649656

Steps to reproduce

1. Create the first project under a group
2. Add Ivy report file with a dependency that has a vulnerability, as seen in #568028 (closed).
3. Run dependency scanner against the first project.
4. Create a second project under the same group.
5. Add a similar Ivy report file with the same vulnerable dependency.
6. Run dependency scanner against the second project.
7. Check the Dependency List page for the second project.

Example Project

1. https://gitlab.com/gl-demo-ultimate-udokmeci/b-asdasdasd/649656
2. https://gitlab.com/gl-demo-ultimate-udokmeci/b-asdasdasd/649656-2

What is the current bug behavior?

Vulnerabilities do not appear on the Dependency List page for the second project, even though the same vulnerable dependency exists and the dependency scanner has run.

What is the expected correct behavior?

Vulnerabilities should appear on the Dependency List page for both projects since they contain the same vulnerable dependency.

Relevant logs and/or screenshots

Please notice the yellow 1 vulnerability detected on the first screenshot is missing on the second.

1st project:

2nd project:

Output of checks

Patch release information for backports

Not a security bug.