Skip dismissed vulnerabilities during Auto Remediation for Dependency Scanning
Release notes
Problem to solve
As a user of GitLab Dependency Scanning, I want the vulnerabilities I've dismissed to be skipped during the Auto Remediation process. Exploring dismissed vulnerabilities during the Auto Remediation process is a waste of resources I pay for. Also, having remediations for dismissed vulnerabilities in the UI is confusing.
Intended users
User experience goal
Proposal
Make the Dependency Scanning job fetch the state of the vulnerabilities using the GitLab API, and exclude dismissed vulnerabilities when doing Auto Remediation.
Further details
Currently, Auto Remediation for Dependency Scanning is implemented in the gemnasium analyzer. Auto Remediation happens in the gemnasium-dependency_scanning
CI job, right after the scan itself. Right now the scanning job is stateless, and the state of the vulnerabilities is not considered.
The state of a vulnerability is stored in the Posgresql database, and CI jobs can't access it directly.
Permissions and Security
No change
Documentation
TODO
Availability & Testing
End-to-end test is needed, to prove that the scanning job behaves differently depending on the status of the vulnerabilities, in the GitLab database.
Available Tier
What does success look like, and how can we measure that?
Dismissed Dependency Scanning vulnerabilities are excluded from the Auto Remediation process, and from the Auto Remediation solutions.
What is the type of buyer?
Is this a cross-stage feature?
This is a section-wide issue, and the same technical challenge applies to all Secure & Protect analyzers that implement Auto Remediation.
Links / references
This is related to Optimize order of auto-remediations for Dependency Scanning, and it can be seen as an optimization.