Don't update vulnerability records when analyzer job fails
Release notes
Problem to solve
Today, security jobs are allowed to fail while still allowing the pipeline to succeed. When this happens, any security report artifacts from the failed job are not ingested. However, this can lead to the unexpected situation where existing vulnerability records on the project's default
branch are marked as Resolved
due to the way findings in pipeline artifacts are processed. Even though the scan jobs failed, they are still considered enabled, so their “results” are still compared against those of the same scan type in the default branch. Finding nothing in the branch, all existing vulnerabilities have their resolved_on_default_branch
value to true.
Proposal
Change the security report ingest behavior so that when an analyzer job fails, not only is its report not ingested, we do not make any updates to vulnerability records that originally came from the same analyzer.
NOTE: There is a related challenge for customers who run different pipeline configurations against a project's default
branch. Sometimes, one pipeline config does not include a given analyzer where that same analyzer is used to scan in other pipeline runs. The same thing happens here: any pipeline without the analyzer will end up marking all previously detected vulnerabilities from the same analyzer as Resolved
. If we can solve both use cases with the same solution, that would be an extra win.
Implementation plan
As we are ingesting the vulnerabilities of a scanner altogether in the IngestReportService
, we can set the disappeared vulnerabilities of that given scanner as resolved_on_default_branch
in that service class instead of running the logic for the whole pipeline in IngestReportsService
(plural).
-
-
backend Update the MarkAsResolvedService
to accept the scanner and update the vulnerabilities of that given scanner only. -
backend Call MarkAsResolvedService
fromIngestReportService
with the ingested vulnerability IDs and scanner. -
backend Stop calling the MarkAsResolvedService
from theIngestReportsService
(plural). -
backend add post migration to create a composite index on vulnerability_reads(project_id, scanner_id, vulnerability_id)
. -
backend add migration to create index synchronously
-