Handling of Vulnerabilities from multiple external scanners

SonarQube Server, Kubernetes

We are setting up CI/CD pipelines in which there are multiple layers of security scanning; i.e., the pipeline might go like:

→ Build → Dependency Scan → Deploy → Container Scan → etc.

Now, both the Dependency Scan and Container Scan can output results to a format that can be ingested by SonarQube. But what happens if the two different tools flag the same vulnerability?

Is it recorded as one vulnerability or two?

How are multiple sources handled wrt “Fixing” issues that are no longer reported. I.e., if Tool A reports Issue 211 and Tool A later does not report Issue 211, then Issue 211 will usually be removed from the vulnerability list. How does that work if Tool A reports Issue 211, but then a few minutes later Tool B reports a list of issues without Issue 211? Is Issue 211 considered fixed and removed, even though the reports are from different tools? If so, it would seem that using multiple external tools is not viable.

Hi,

This would be two issues, not one. Which alleviates the concern about one tool seeing it as fixed, but not the other. However, I need to say that you seem to think analysis will be updated as new reports come in

Analyses are not additive. You need to collect all your reports and then feed them into one analysis. If you ran an analysis with the Tool A report you would see Tool A’s issues. If you then ran it with only Tool B’s report, you would see only Tool B’s issues.

 
HTH,
Ann

Thanks for the info.

Wasn’t sure whether they needed to be in the same analysis or not, so thanks for clarifying that. Does make it difficult/inconvenient to use it for this purpose, though, since Dependency Scans and Container scans happen at different stages of the CI/CD cycle.