Ignore dependency IID when comparing reports (!153) · Merge requests · GitLab.org / security-products / ci-templates

Fabien Catteau requested to merge 229840-ignore-dependency-iid into master Sep 17, 2020

What does this MR do?

Ignore dependency IID in vulnerability location, dependency file dependency, and dependency path. Dependency Scanning reports are considered to be different only if the length of the dependency path is different.

compare_reports.sh passes when gl-dependency-scanning-report.json is compared gl-dependency-scanning-report2.json to.

Let's remove the last item of the last dependency path, in gl-dependency-scanning-report2.json:

@@ -1697,9 +1697,6 @@
             },
             {
               "iid": 53
-            },
-            {
-              "iid": 67
             }
           ],
           "package": {

Then it fails and reports the missing item:

@@ -965,11 +965,10 @@
             {},
             {},
             {},       
-            {},                                                                                                                  
             {}                                                                                                                   
           ],
           "package": {      
-            "name": "runtime.debian.8-x64.runtime.native.System.Security.Cryptography.OpenSsl"
+            "name": "runtime.ubuntu.16.10-x64.runtime.native.System.Security.Cryptography.OpenSsl"
           },  
           "version": "4.3.0"
         },

Unfortunately there's extra noise in the diff.

What are the relevant issue numbers?

gitlab-org/gitlab#229840 (closed)

Edited Sep 17, 2020 by Fabien Catteau

Ignore dependency IID when comparing reports

What does this MR do?

What are the relevant issue numbers?

Merge request reports