Skip to content

Vulnerabilities identified by Continuous Vulnerability Scanning not marked as "No Longer Detected"

Summary

Vulnerabilities that are identified by Continuous Vulnerability Scanning / "GitLab SBoM Vulnerability Scanner" are not marked as "No longer detected" on the vulnerability dashboard when the projects dependency is updated to address the vulnerability.

Steps to reproduce

Im unsure of specifically how to reproduce other than:

  1. Have a GitLab hosted project
  2. GitLab updates their database of vulnerabilities which triggers continuous scanning to run on the project
  3. A vulnerability is identified in a projects dependencies
  4. Update the vulnerable dependency as required
  5. Observe that when the pipeline completes the vulnerability has not been updated to reflect "No longer detected"

What is the current bug behavior?

Continuous vulnerability scanning vulnerabilities are not marked as no longer detected when the dependency is updated.

What is the expected correct behavior?

Vulnerabilities identified from continuous vulnerability scanning are marked as no longer detected when the vulnerable dependency is upgraded

Proposal

The initial plan was to have this addressed as part of running a new pipeline running a DS job and having the SBOM components and detected vulnerabilities updated. Though, the logic that applies the no longer detected in default branch flag is only considering findings from the same scanner (since 15.9) and we missed that. See Resolve Vulnerabilities detected from a specifi... (!109923 - merged)

Since Continuous Vulnerability Scanning creates vulnerabilities using the scanner namee GitLab SBoM Vulnerability Scanner and the CI based scans use the scanner name Gemnasium, the current logic doesn't apply the flag to such vulnerabilities created by CVS.

To fix this, we should adjust the MarkAsResolvedService to additionally process vulnerabilities with scanner GitLab SBoM Vulnerability Scanner when ingesting vulnerabilities from a DS or CS scanner.

(To be validated)

  • for DS: gemnasium, gemnasium-python, and gemnasium-maven
  • for CS: Trivy
Edited by Olivier Gonzalez