Correctly deduplicate vulnerabilities with 8 digit image tags

Exclude 8-digit numbers from the location fingerprint when performing vulnerability deduplication. This means that when two different images are tagged with short hashes such as my-image:62011677 and my-image:e2e32c98, these will be grouped in the vulnerability report instead of being displayed as separate line items. It's still ambiguous as to whether 62011677 is a hash or a number, but since version numbers rarely become that large this is the quickest way to fix the case where we have a short-ref tagging scheme. Changelog: fixed EE: true

Correctly deduplicate vulnerabilities with 8 digit image tags
752d9a59 · Brian Williams · Mehmet Emin INAC · a1958ada · 752d9a59 · 752d9a59
--- a/ee/lib/gitlab/ci/reports/security/locations/container_scanning.rb
+++ b/ee/lib/gitlab/ci/reports/security/locations/container_scanning.rb
@@ -51,13 +51,9 @@ def prepare_image_name
            end
            def version_semver_like?(version)
-              hash_like = /\A[0-9a-f]{32,128}\z/i
+              hash_like = /\A[0-9a-f]{8,128}\z/i
-              if Gem::Version.correct?(version)
+              Gem::Version.correct?(version) && !hash_like.match?(version)
-                !hash_like.match?(version)
-              else
-                false
-              end
            end
          end
        end

--- a/ee/spec/lib/gitlab/ci/reports/security/locations/container_scanning_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/locations/container_scanning_spec.rb
@@ -41,6 +41,12 @@
          false,
          'registry.gitlab.com/group/project/tmp:glibc'
        ],
+        [
+          'registry.gitlab.com/group/project/tmp:38960416',
+          nil,
+          false,
+          'registry.gitlab.com/group/project/tmp:glibc'
+        ],
        [
          'registry.gitlab.com/group/project/feature:5b1a4a921d7a50c3757aae3f7df2221878775af4',
          'registry.gitlab.com/group/project/master:ec301f43f14a2b477806875e49cfc4d3fa0d22c3',