Unexpectedly low vulnerabilities count in group-level Security Dashboard on specific days
Summary
On gitlab.com in the group Security Dashboard, the number of vulnerabilities shown is lower than expected on a few specific days:
- August 18, 2022
- August 21, 2022
- August 25, 2022
- August 29, 2022
- August 31, 2022
Update: When this ticket was opened, the problem had only occurred on the 18th and 21st. It now seems to be ongoing, although still intermittent.
A screenshot to demonstrate:
What scanners are being used?
One data point: for the gitlab-gold/briecarranza
group, we see the yo-yo trend:
This comes from a mixture of scanners:
- Of the seven projects with Critical vulnerabilities, they are all using only Secret Detection.
- Of the 10 projects with High vulnerabilities: they are using a mixture of SAST, Coverage Fuzzing and Dependency Scanning.
Steps to reproduce
There is a time component to this; it may be necessary to rely on groups that were created and populated prior to August 18th, 2022.
- Prior to August 18th 2022, create a group, create projects in that group, populate those projects with vulnerabilities and configure SAST such that vulnerabilities will be reported
- After August 22nd 2022, browse to Security > Security Dashboard for that group
- Observe that the total number of vulnerabilities reported on August 18th and on August 21st is significantly lower than the days before and after
Example Group
This behavior can be observed in gitlab-gold
(and subgroups), gitlab-org
and gitlab-com
by persons with the correct level of access:
This behavior is NOT limited to top-level groups.
What is the current bug behavior?
The total number of vulnerabilities reported on August 18th and August 21st is lower than expected.
What is the expected correct behavior?
The total number of vulnerabilities reported on August 18th and August 21st should be correct/consistent with the rest of the project's history.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)