Features to reduce false positives in security scanners
Release notes
Problem to solve
Prospects often ask us what is our 'false positive' rate. We don't publish one as it's hard to measure. What is considered a false positive by one organization would not be considered a false positive by another. @NicoleSchwartz summarized this well, saying:
What is a false positive? It’s what an individual looking at a finding declares to be “not true” or “not applicable” and this has a lot of variation. We can’t just decide X is always a FP and close it.
Intended users
User experience goal
Proposal
Because 'false positives' are subjective, I propose we focus on providing tools to help customers filter out the things that are unimportant to them uniquely. The scanners should still find these things, but what is viewed in the MR pipeline and the security dashboard should be filtered based upon user-defined parameters.
Examples to consider filtering out include:
- specific dependencies and versions,
- specific CVEs,
- specific classes of CVEs
- specific projects (expecting parameters would be defined at the group and/or instance level
In addition to not showing findings they don't want to see, we should also group items together in a way that they understand the relationship. For instance, if I fix this one item, it will in turn resolve these 4.
Lastly, is the actual vulnerable code used in the app or only the vulnerable library? This is something that Blackduck does very well and we do not.
Further, @NicoleSchwartz has suggested using the metric if the finding is “acted” upon vs “not”, expecting that if someone acts on a finding it matters more to them, vs if they don’t act on it. The goal would be to increase the percent of acted on findings.
Further details
Permissions and Security
Documentation
Availability & Testing
Available Tier
What does success look like, and how can we measure that?
More vulnerability findings have issues attached, fewer are dismissed.
What is the type of buyer?
Is this a cross-stage feature?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.