Skip to content

Don't update vulnerability records when analyzer job fails

Release notes

Problem to solve

Today, security jobs are allowed to fail while still allowing the pipeline to succeed. When this happens, any security report artifacts from the failed job are not ingested. However, this can lead to the unexpected situation where existing vulnerability records on the project's default branch are marked as Resolved due to the way findings in pipeline artifacts are processed. Even though the scan jobs failed, they are still considered enabled, so their “results” are still compared against those of the same scan type in the default branch. Finding nothing in the branch, all existing vulnerabilities have their resolved_on_default_branch value to true.

Proposal

Change the security report ingest behavior so that when an analyzer job fails, not only is its report not ingested, we do not make any updates to vulnerability records that originally came from the same analyzer.

NOTE: There is a related challenge for customers who run different pipeline configurations against a project's default branch. Sometimes, one pipeline config does not include a given analyzer where that same analyzer is used to scan in other pipeline runs. The same thing happens here: any pipeline without the analyzer will end up marking all previously detected vulnerabilities from the same analyzer as Resolved. If we can solve both use cases with the same solution, that would be an extra win.

Implementation plan

As we are ingesting the vulnerabilities of a scanner altogether in the IngestReportService, we can set the disappeared vulnerabilities of that given scanner as resolved_on_default_branch in that service class instead of running the logic for the whole pipeline in IngestReportsService(plural).

    • backend Update the MarkAsResolvedService to accept the scanner and update the vulnerabilities of that given scanner only.
    • backend Call MarkAsResolvedService from IngestReportService with the ingested vulnerability IDs and scanner.
    • backend Stop calling the MarkAsResolvedService from the IngestReportsService(plural).
    • backend add post migration to create a composite index on vulnerability_reads(project_id, scanner_id, vulnerability_id).
    • backend add migration to create index synchronously
Edited by mo khan