Re-open remediated vulnerabilities that are reintroduced in subsequent branches
Problem to solve
It is possible that a remediated vulnerability will be reintroduced, for instance via a stale branch that still contains the vulnerability. In this case, some users would prefer that the original vulnerability be "re-opened" and have status set from Resolved
back to Open
rather than the current behavior of no change if the vulnerability fingerprint is identical or creating a new vulnerability if the fingerprint differs (e.g. the vulnerability is now on a different line in the source code).
Intended users
This feature has potential interest to users in many roles. It is important to understand the distinction between a vulnerability being a regression (re-introduced) versus having the same type of vulnerability being introduced a second, distinct time.
- Cameron (Compliance Manager)
- Sasha (Software Developer)
- Rachel (Release Manager)
- Alex (Security Operations Engineer)
- Simone (Software Engineer in Test)
User experience goal
It should be easy for a user to clearly distinguish between:
- A new vulnerability
- A remediated vulnerability that was re-introduced (same vulnerability, same location)
- A separate instance of a previously remediated vulnerability
Users should also have the flexibility to chose the redetection behavior (re-open or create a new vulnerability) on a Project, Group, and Instance level. In the latter two cases, these would be global settings that will cascade down.
Proposal
Given the likelihood for differing opinions of how to handle a re-introduced vulnerability, we should explore having a setting to control behavior. This may also require introducing a new Re-opened
vulnerability state to distinguish this case from merely Open
, which is the default state for new vulnerabilities.
Further details
As re-opening a vulnerability will add to the Mean Time to Resolve count, we need to consider how to show this to the user. Also, is it better to count total time from original vulnerability detection or subtract out the time between initial remediation and re-opening?