Remove cyclonedx related findings from
What does this MR do and why?
Security Findings for CycloneDX Reports
Add support for security findings into pipeline... (#490334 - closed) • Zamir Martins • 17.9 • Needs attention introduced the creation of security findings for cyclonedx reports. These changes were mainly focused on the creation of security scans, vulnerability scanners, and security findings (e.g., Security::StoreGroupedScansService and Security::StoreGroupedSbomScansService). However, this change has also impacted the vulnerability workflow (i.e., Security::StoreSecurityReportsByProjectWorker). As a result, this MR removes all cycloneDX-related security findings from this logic.
Complexity Overview
This complexity arises due to the following reasons:
- Both
cyclonedxanddependency_scanningreports belong to the same job. - Cyclonedx-related security findings (
cyclonedxreports) are persisted similarly to the ones related to the existing dependency scanning analyzer (dependency_scanningreports).
Thus, for a single security scan:
-
report_findingswill return only findings related to the dependency scanning analyzer. -
findingswill also include those related to cyclonedx.
Long-Term Solution
The good news is that this complexity will only be necessary until %18.0, when the existing dependency scanning analyzer will be removed.
Changes in This MR
With this in mind, this merge request removes cyclonedx-related findings from finding_map, ensuring they are not considered during vulnerability creation.
Side Effects
This change also addresses errors similar to the following:
References
Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.
- Related issue: [Feature flag] Rollout of `dependency_scanning_... (#490332 - closed) • Zamir Martins • 17.9 • At risk
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.