All new vulnerabilities in the Merge Request Security Widget have the "Confirmed" status
Summary
In the MR Security Widget, new findings have a "Confirmed" status, which doesn't really make sense. There's no status management for these findings, since they're not persisted in the database (only vulnerabilities and dismissals are stored AFAIR).
The same vulnerabilities in the Vulnerability Report page appear with the Detected
status, so there's a discrepancy between the statuses reported.
Steps to reproduce
- Create a project
- Add a vulnerability
- Move the code of the vulnerability in a Merge Request (because we don't track location changes)
- Notice the findings marked are
New
andFixed
at the same time, with aConfirmed
status - Go to the Vulnerability report, notice that the same vulnerability is
Detected
.
Example Project
https://gitlab.com/gitlab-org/gitaly/ and example MR: gitaly!2858 (merged)
What is the current bug behavior?
Findings have a Confirmed
status in MRs.
What is the expected correct behavior?
Findings should have the same status as the Vulnerability Report (or just Dismissed
if we don't manage status in this area).
Relevant logs and/or screenshots
(A "potential hardcoded credentials" being Confirmed
is scary!)
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
/cc @matt_wilson @lkerr @thiagocsf for prioritization