Dependency List missing vulnerabilities that are identified by Dependency Scanner with SBOM
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
There is an inconsistency between vulnerabilities shown in the Dependency List and those shown in the Vulnerability Report. The Dependency List is often missing many vulnerabilities that have been identified by the Dependency Scanner with SBOM.
Workaround
Run a new pipeline on the default branch
Steps to reproduce
- Import https://gitlab.com/gitlab-org/govern/threat-insights-demos/571526-dependency-linkage-issue into GDK
- Run pipeline on master
- Dependency list has no vulnerabilities
- Vulnerability report contains items related to dependencies
Example
Test project demonstrating the issue: https://gitlab.com/gl-demo-ultimate-odupre/shared-tests/pygoat
- Vulnerability Report: Shows 64 vulnerabilities identified by dependency scanning
- Dependency List: Shows 0 vulnerabilities
Expected behavior
All vulnerabilities identified by the dependency scanner should appear in both:
- The Vulnerability Report
- The Dependency List (linked to their respective dependencies)
Actual behavior
Many vulnerabilities appear in the Vulnerability Report but are completely missing from the Dependency List, making it difficult for users to understand which dependencies are affected.
Impact
This inconsistency:
- Creates confusion for security teams trying to understand their dependency vulnerabilities
- Makes it difficult to prioritize dependency updates
- Reduces trust in GitLab's security scanning capabilities
- Impacts the user experience when managing security findings
Additional context
According to @bwill's analysis:
Vulnerabilities are linked to dependencies via the location information. If the
name
,version
, andfile
(ex:pipdeptree.json
) match, then the vulnerability is shown on the dependency list.
This suggests there may be a mismatch in how location information is being processed between the vulnerability detection and dependency list display.