Ignore vulnerability id field during DS, SAST QA (!85) · Merge requests · GitLab.org / security-products / ci-templates

Fabien Catteau requested to merge ignore-vuln-id-during-qa into master Apr 06, 2020

Ignore id field when comparing vulnerabilities and remediations during QA for SAST and DS.

Tested in https://gitlab.com/gitlab-org/security-products/tests/go-modules/pipelines/133201297 (DS).

Ignore the id field from vulnerabilities and remediations makes impossible to check whether remediation objects properly reference the vulnerability objects they fixed. That said, right now QA jobs and test projects don't cover Dependency Scanning auto-remediation, so we can consider this is out of scope.

This has not been ported to CS because currently it doesn't use includes-dev/qa-container_scanning.yml, and this file should thus be removed from the https://gitlab.com/gitlab-org/security-products/ci-templates project.

See gitlab-org/gitlab#36777 (closed)

Edited Apr 21, 2023 by 🤖 GitLab Bot 🤖

Ignore vulnerability id field during DS, SAST QA

Merge request reports