Scanner data inconsistency between `vulnerability_reads` and `vulnerability_occurrences`
Summary
The scanner data can be inconsistent between the vulnerability_reads
and vulnerability_occurrences
tables for the same vulnerability
.
This can in the following case;
- The user runs a security scan with the
gemnasium
scanner. - We create
vulnerability_reads
andvulnerability_occurrences
records for the detected vulnerabilities and associate them with thegemnasium
scanner. - The user runs another security scan with the
gemnasium-maven
scanner. - The second scan reports the same vulnerabilities with the first one with only one difference; "the scanner".
- We update the
vulnerability_occurrences
table and associate the existing records with the new scanner. - We don't update the
vulnerability_reads
and the existing records in that table still point to the old scanner.
At this point, we have inconsistent data as the vulnerability_reads
and vulnerability_occurrences
point to different scanners for the same vulnerability.
This breaks;
- Marking the vulnerabilities as "no longer detected on the default branch" logic.
- Filtering the vulnerabilities by tool on the vulnerability report page.
Steps to reproduce
Follow the aforementioned steps.
Example Project
What is the current bug behavior?
Data becomes inconsistent.
What is the expected correct behavior?
Data consistency should be guaranteed.
Output of checks
This bug happens on GitLab.com
Possible fixes
TBD
Verification Steps
Detailed in the MR !148016 (merged)
Edited by Neil McCorrison