Project with no vulnerabilities receiving an F in Security Dashboard
Summary
A GitLab Premium customer reports that a project with no Critical
vulnerabilities receives an F
in the group's Security Dashboard.
Please see the Zendesk ticket for the specific project and group, as well as screenshots.
- Group ID:
9615441
- Project ID:
34377644
Additional details
The documentation states the following:
Each project is assigned a letter grade according to the highest-severity open vulnerability. Dismissed or resolved vulnerabilities are excluded. Each project can receive only one letter grade and appears only once in the Project security status report.
- The project in question does have dependencies with
Critical
vulnerabilities, but the documentation is unclear on whether this should count or not.- Do dependencies impact the grade the project receives in the Security Dashboard?
- There is another project that receives an
F
despite noCritical
vulnerabilities, and this project has no dependencies withCritical
vulnerabilities. - Is this potentially just a UI issue?
- What is the expected behavior? Is
F
perhaps the default? If so, how can the user update the grade?
What is the current bug behavior?
The project in question receives an F
grade in the Security Dashboard despite having no Critical
vulnerabilities.
What is the expected correct behavior?
The project in question should not receive an F
grade. Based on the documentation, this project should have an A
grade.
Relevant logs and/or screenshots
^ this is the vulnerability report for the first project highlighted in the list below
Output of checks
This bug happens on GitLab.com
Note: Edited to add sanitized screenshots