Manually Created Vulnerabilities should require manual resolution
Summary
It appears manually created vulnerabilities may be automatically marked as resolved when a scan runs of the same scan type. This can be seen within StoreReportService
where all vulnerabilities of the given type are marked as resolved when not present in a newly stored report.
It's not clear at this time whether the new ingestion service is also susceptible but this should be looked further into.
Steps to reproduce
Reproduction not yet made, only code read.
Example Project
What is the current bug behavior?
Manually created vulnerabilities are automatically resolved when a scan of the same type is ran.
What is the expected correct behavior?
Manually created vulnerabilities should always require manual resolution.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Possible fixes
A quick fix would be to include a similar condition as REPORT_TYPES_REQUIRING_MANUAL_RESOLUTION
to exclude manual vulnerabilities, assuming there's a way to uniquely identify them.
Implementation Plan
-
backend Include a similar condition as REPORT_TYPES_REQUIRING_MANUAL_RESOLUTION
to excludegeneric
vulnerabilities (see Lucas's patch below)