Correctly deduplicate vulnerabilities with 8 digit image tags (!138675) · Merge requests · GitLab.org / GitLab

Brian Williams requested to merge bwill/exclude-short-hash-from-container-scanning-matching into master Dec 04, 2023

What does this MR do and why?

Exclude 8-digit numbers from the location fingerprint when performing vulnerability deduplication. Relates to https://gitlab.com/gitlab-com/sec-sub-department/section-sec-request-for-help/-/issues/157#note_1678298788.

This means that when two different images are tagged with short hashes such as my-image:62011677 and my-image:e2e32c98, these will be grouped in the vulnerability report instead of being displayed as separate line items. It's still ambiguous as to whether 62011677 is a hash or a number, but since version numbers rarely become that large this is the quickest way to fix the case where we have a short-ref tagging scheme.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Start the rails console and run this code:

%w[my-image:e2e32c98 my-image:62011677 my-image:1 my-image:1.0].each do |image_name|
  puts Gitlab::Ci::Reports::Security::Locations::ContainerScanning
    .new(image: image_name, operating_system: 'alpine', package_name: 'glibc')
    .fingerprint_data
end

The expected output is:

my-image:glibc
my-image:glibc
my-image:1:glibc
my-image:1.0:glibc

The output before this change is:

my-image:glibc
my-image:62011677:glibc
my-image:1:glibc
my-image:1.0:glibc

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Dec 05, 2023 by Brian Williams

Correctly deduplicate vulnerabilities with 8 digit image tags

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports