From 752d9a59eb973407ad2e4a279a0b7b74f0dab364 Mon Sep 17 00:00:00 2001
From: Brian Williams <bwilliams@gitlab.com>
Date: Wed, 6 Dec 2023 14:24:05 +0000
Subject: [PATCH] Correctly deduplicate vulnerabilities with 8 digit image tags

Exclude 8-digit numbers from the location fingerprint when performing
vulnerability deduplication. This means that when two different images
are tagged with short hashes such as my-image:62011677 and
my-image:e2e32c98, these will be grouped in the vulnerability report
instead of being displayed as separate line items. It's still ambiguous
as to whether 62011677 is a hash or a number, but since version numbers
rarely become that large this is the quickest way to fix the case where
we have a short-ref tagging scheme.

Changelog: fixed
EE: true
---
 .../ci/reports/security/locations/container_scanning.rb   | 8 ++------
 .../reports/security/locations/container_scanning_spec.rb | 6 ++++++
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/ee/lib/gitlab/ci/reports/security/locations/container_scanning.rb b/ee/lib/gitlab/ci/reports/security/locations/container_scanning.rb
index 2efca10f2f2ed..04ec7161459ae 100644
--- a/ee/lib/gitlab/ci/reports/security/locations/container_scanning.rb
+++ b/ee/lib/gitlab/ci/reports/security/locations/container_scanning.rb
@@ -51,13 +51,9 @@ def prepare_image_name
             end
 
             def version_semver_like?(version)
-              hash_like = /\A[0-9a-f]{32,128}\z/i
+              hash_like = /\A[0-9a-f]{8,128}\z/i
 
-              if Gem::Version.correct?(version)
-                !hash_like.match?(version)
-              else
-                false
-              end
+              Gem::Version.correct?(version) && !hash_like.match?(version)
             end
           end
         end
diff --git a/ee/spec/lib/gitlab/ci/reports/security/locations/container_scanning_spec.rb b/ee/spec/lib/gitlab/ci/reports/security/locations/container_scanning_spec.rb
index 9e84475615674..7172ef6beb56f 100644
--- a/ee/spec/lib/gitlab/ci/reports/security/locations/container_scanning_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/locations/container_scanning_spec.rb
@@ -41,6 +41,12 @@
           false,
           'registry.gitlab.com/group/project/tmp:glibc'
         ],
+        [
+          'registry.gitlab.com/group/project/tmp:38960416',
+          nil,
+          false,
+          'registry.gitlab.com/group/project/tmp:glibc'
+        ],
         [
           'registry.gitlab.com/group/project/feature:5b1a4a921d7a50c3757aae3f7df2221878775af4',
           'registry.gitlab.com/group/project/master:ec301f43f14a2b477806875e49cfc4d3fa0d22c3',
-- 
GitLab