Grype container scanning won't fill out gl-dependency-scanning-report.json

Looking through the logs, the container scanner does correctly identify the found dependencies within the container and enumerates vulnerabilities associated with the dependencies, however when the json artifacts are generated the gl-dependency-scanning-report.json does not include any of the listed dependencies or their associated vulnerabilities.

gl-dependency-scanning-report.json
{“version”:“14.0.6”,“scan”:{“type”:“dependency_scanning”,“start_time”:“2022-05-25T22:19:39”,“end_time”:“2022-05-25T22:19:39”,“status”:“success”,“scanner”:{“id”:“grype”,“name”:“Grype”,“url”:“https://github.com/anchore/grype",“vendor”:{“name”:“GitLab”},“version”:“0.36.1”},“analyzer”:{“id”:“gcs”,“name”:"GitLab Container Scanning”,“vendor”:{“name”:“GitLab”},“version”:“4.6.19”}},“vulnerabilities”:,“dependency_files”:}

@csmalveaux Thanks for creating the discussion and Welcome to the community! :slight_smile:

Dependency list is only supported with Trivy at the moment, Grype does not support it yet. You can find more on the feature here: Container Scanning | GitLab

The CS_DISABLE_DEPENDENCY_LIST CI/CD variable controls whether the scan creates a Dependency List report. This variable is currently only supported when the trivy analyzer is used.

2 Likes

Than you so much for your reply. Is there any information that you can share as to when Grype will be supported to also provide a dependency list?

Is there any information that you can share as to when Grype will be supported to also provide a dependency list?

@csmalveaux we are actually working on a major rearchitecture of both Container Scanning and Dependency Scanning. The new approach will have both analyzers output a SBOM that will feed into both the vulnerability scanning as well as the dependency list. This approach will be handled in a standard way for all the analyzers and so it will work uniformly for both trivy and grype.

You can follow Continuous vulnerability scans (&7886) · Epics · GitLab.org · GitLab to track our progress towards this effort.

1 Like

Thank you so much! This sounds like exactly what I am looking for! I am excited to see this released!

2 Likes