Vulnerabilities seem to no longer appear as remediated
Summary
Vulnerabilities no longer detected in the main branch have an icon in the Vulnerability Report page to reflect this status. Some of them don't have this icon despite a fix has been pushed, and they're not reported anymore.
Steps to reproduce
- Go to the GitLab project Vulnerability Report
- Check some detected vulnerabilities without the "remediated" icon.
Example Project
https://gitlab.com/gitlab-org/gitlab/-/security/vulnerability_report Check out https://gitlab.com/gitlab-org/gitlab/-/security/vulnerabilities/6356605 for example:
The "Vulnerability remediated" doesn't appear here. The solution is to upgrade to rails 6.0.3.5 or later. We're using 6.0.3.6 since a week now, so it should be reported anymore.
The latest pipeline used to refresh the vulnerability report is https://gitlab.com/gitlab-org/gitlab/-/pipelines/289617377 as I'm writing these lines.
The report from bundler-audit
is here: gl-dependency-scanning-report.json and doesn't report this vulnerability anymore, as expected from the commit above.
What is the current bug behavior?
The "vulnerability remediated" isn't reported anymore.
What is the expected correct behavior?
"Vulnerability remediated" correctly reported.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
/cc @matt_wilson @lkerr @thiagocsf for prioritization.