Normalize package_name for dependency scanning

Zamir Martinsrequested to merge
normalize_package_name_for_security_report into master

What does this MR do and why?

Normalize package name for dependency scanning only for python packages.

References

Related issue: Duplicated vulnerabilities due to mismatch in c... (#552648 - closed) • Zamir Martins • 18.4

How to set up and validate locally

  1. Create a new project
  2. Add a requirements.txt file with Flask==2.0.2 as its contents
  3. Create a .gitlab-ci.yml with the below contents:
include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml
  1. Commit/push changes and trigger a pipeline run (on default branch)
  2. Once pipeline has finished, check the vulnerability report on the project and search by Identifier = CVE-2023-30861
  3. Observe duplicate vulnerabilities
    • One will have scanner GitLab SBoM Vulnerability Scanner and Vulnerable package = flask:2.0.2
    • One will have scanner gemnasium-python and Vulnerable package = Flask:2.0.2
    • Note different casing of F/f

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Zamir Martins

Merge request reports