Improve error message when dismissing vulnerabilities on archived projects

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Summary

In an Internal project, there are some vulnerabilities that can not be dismissed, even by the Administrator. These vulnerabilities say "Vulnerability resolved in dev: The vulnerability is no longer detected. Verify the vulnerability has been remediated before changing its status."

These vulnerabilities can not be marked as Dismissed via the Web interface, a GraphQL mutation, the REST API or the GitLab Rails Console.

This happens when the project containing the vulnerabilities is read-only because it has been archived.

The Ask

Provide a clearer error message on the Vulnerability Report page and in response to the GraphQL mutation and REST API calls.

The current error message notes that access is denied. It would be very helpful to know that access is denied because the project is read-only (and not because of some other reason).

Steps to reproduce

Run a pipeline that generates one or more vulnerabilities
Archive the project
As Administrator, browse to the Vulnerability Report for the project
Click on a specific vulnerability (taking you to https://gitlab.example.com/group/project/-/security/vulnerabilities/NNN
In the Status drop-down, choose Dismiss, click Change status
Observe a red dialog with the text [object Object] and that the vulnerability's status has not changed
Isssue a properly formatted GraphQL mutation to dismiss the same vulnerability
Observe the error The resource that you are attempting to access does not exist or you don't have permission to perform this action

Example Project

What is the current bug behavior?

For some vulnerabilities, the Administrator can not mark them as Dismissed. An error is returned. That error differs slightly depending on how the vulnerability dismissal was attempted.

In an Internal project, there are some vulnerabilities that can not be dismissed by the Administrator. These vulnerabilities say "Vulnerability resolved in dev: The vulnerability is no longer detected. Verify the vulnerability has been remediated before changing its status."

These vulnerabilities can not be marked as Dismissed via the Web interface, a GraphQL mutation, the REST API or the GitLab Rails Console.

Web interface: Attempting to mark them as Dismissed instead of Needs triage via the Web interface leads to a an error with a red background and the text [object Object].
REST API: {"message":"403 Forbidden"}
GraphQL: Attempting to mark them as Dismissed with the corresponding GraphQL mutation leads to an error:

mutate {"data":{"vulnerabilityResolve":null},"errors":[{"message":"The resource that you are attempting to access does not exist or you don't have permission to perform this action","locations":[{"line":1,"column":12}],"path":["vulnerabilityResolve"]}]}

GitLab Rails Console: Attempting to mark them as Dismissed via the Rails Console yields the following, for two users with the Administrator role:

Traceback (most recent call last):
2: from (irb):5
1: from ee/app/services/vulnerabilities/dismiss_service.rb:17:in `execute'
Gitlab::Access::AccessDeniedError (Gitlab::Access::AccessDeniedError)

The ✂️ snippet being used is as follows:

current_user = User.find_by_id(1)
vulnerability = Vulnerability.find_by_id(894)
comment = "A cat wrote a comment."
dismissal_reason = "false_positive"
::Vulnerabilities::DismissService.new(current_user, vulnerability, comment, dismissal_reason, dismiss_findings: true).execute

The GraphQL mutation being used is like:

curl --request POST \
  --url https://gitlab.example.com/api/graphql \
  --header 'Authorization: Bearer glpat-0123456789' \
  --header 'Content-Type: application/json' \
  --data '{"query":"mutation { vulnerabilityResolve(input: {id: \"gid://gitlab/Vulnerability/826\",clientMutationId:\"AccessDeniedOnResolve\"}) { vulnerability { state } errors } } "}'

What is the expected correct behavior?

An error explaining why the vulnerability could not be Dismissed should appear.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

Edited Aug 28, 2025 by 🤖 GitLab Bot 🤖