Design: Auto-dismiss irrelevant vulnerabilities

Problem

Based on how some customers design their applications, certain vulnerabilities may appear that are not applicable to them. This causes problems in the Category:Vulnerability Management space as users will expend a lot of energy dismissing vulnerabilities that do not apply vs managing and resolving vulnerabilities that pose a risk to their organization.

Proposal

Consider a way for users to automate the dismissal process of vulnerabilities with certain attributes. Sustainable solutions will target the group level and allow for flexibility at the project level. Attributes that trigger auto-dismiss may include but are not limited to:

  • Directory
  • File path
  • Identifier

Users should be able to leverage the dismissal reasons for each vulnerability exemption to increase the transparency of their reporting/auditing and to avoid needing to add in a retroactive comment manually.

More information

The preference is to automate dismissals vs. having scanners ignore vulnerabilities in their reports because customers may still need a record of these vulnerabilities and in the future, they may decide these need to be addressed if conditions change.

Interacting with other policies

We are leveraging policies just like for auto-resolving vulnerabilities. When multiple policies are applied in a pipeline, it is possible that more than one rule will apply to a single vulnerability. As of now, we have identified one scenario where this will happen:

  • A vulnerability that matches an auto-dismiss policy can also trigger a merge request security approval.

When this happens, the auto-dismiss takes precedent. This means no security approvals are required for this vulnerability and it will be set to dismissed (with the Reason specified in the matching auto-dismiss policy).

Question: Based on the above scenario, this means that it is actually vulnerability findings that will be compared against the policies to determine if any merge request security approvals will fire or not. How should we display vulnerability findings that match the auto-dismiss policy in the MR and pipeline security tab? It make make sense to label these with Auto-dismissed to make it clear why these aren't triggering any security approvals. We may also want to display this in the finding modal along with a link to the matching auto-dismiss policy.

Requirements

  • The auto-dimiss (and auto-resolve) policies should live under a new policy type titled Vulnerability management policy.
  • The policy type filter on the policy page should include the new Vulnerability management policy type.
  • User should be able to dismiss a vulnerability based on a path, directory, or identifier.
  • The policy should apply to all new vulnerabilities detected after the creation of the policy; not on existing vulnerabilities.
  • The auto-dismissed vulnerability should have an activity item (in the activity timeline) stating that it was dismissed because of X policy (and a link to the policies page).
  • There should be a new section of the security widget titled Auto-dismiss in the MR showing detected vulnerabilities that will be auto-dismissed. This section should be below the New vulnerabilities and above any Fixed ones, where applicable.
  • Users should be able to filter the Vulnerability Report by auto-dismissed vulnerabilities.
  • Any vulnerability that was auto-dismissed should show up on the Vulnerability Report with a Dismissed status and an auto-dimissed icon in the activity column.

Design

Edited by Grant Hickman