Skip to content

Dependency List missing vulnerabilities that are identified by Dependency Scanner with SBOM

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

There is an inconsistency between vulnerabilities shown in the Dependency List and those shown in the Vulnerability Report. The Dependency List is often missing many vulnerabilities that have been identified by the Dependency Scanner with SBOM.

Workaround

Run a new pipeline on the default branch

Steps to reproduce

  1. Import https://gitlab.com/gitlab-org/govern/threat-insights-demos/571526-dependency-linkage-issue into GDK
  2. Run pipeline on master
  3. Dependency list has no vulnerabilities
  4. Vulnerability report contains items related to dependencies

Example

Test project demonstrating the issue: https://gitlab.com/gl-demo-ultimate-odupre/shared-tests/pygoat

  • Vulnerability Report: Shows 64 vulnerabilities identified by dependency scanning
  • Dependency List: Shows 0 vulnerabilities

Expected behavior

All vulnerabilities identified by the dependency scanner should appear in both:

  • The Vulnerability Report
  • The Dependency List (linked to their respective dependencies)

Actual behavior

Many vulnerabilities appear in the Vulnerability Report but are completely missing from the Dependency List, making it difficult for users to understand which dependencies are affected.

Impact

This inconsistency:

  • Creates confusion for security teams trying to understand their dependency vulnerabilities
  • Makes it difficult to prioritize dependency updates
  • Reduces trust in GitLab's security scanning capabilities
  • Impacts the user experience when managing security findings

Additional context

According to @bwill's analysis:

Vulnerabilities are linked to dependencies via the location information. If the name, version, and file (ex: pipdeptree.json) match, then the vulnerability is shown on the dependency list.

This suggests there may be a mismatch in how location information is being processed between the vulnerability detection and dependency list display.

Edited by Brian Williams