Vulnerabilities detected by Continuous Vulnerability Scanning show incorrect detected date on vulnerability page
Summary
When a vulnerability is detected by Continuous Vulnerability Scanning a.k.a. CVS, there are two different "Detected" dates shown to users. If they're viewing the vulnerability report, the date that the vulnerability was created is shown. However, if they're looking at the
Steps to reproduce
-
Upload a SBOM generated by Gemnasium that has a vulnerable dependency, but do not upload the generated
gl-dependency-scanning-report.json
files. -
Run a CVS scan the next day (or modify the created at date of the pipeline that uploaded the report). You can run this by finding the
id
of the advisory that matches the vulnerable component and emitting a scan event. For example, if you're looking to scan forCVE-2024-3094
, you can do the following.cve = 'CVE-2024-3094' advisory_id = PackageMetadata::Advisory.where(advisory_xid: cve).first.id Gitlab::EventStore.publish(PackageMetadata::IngestedAdvisoryEvent.new(data: { advisory_id: advisory_id }))
-
Observe that the vulnerability report shows the date that the vulnerability was created (newer) and the vulnerability page shows the date of the SBOM report upload (older).
What is the current bug behavior?
The dates on both pages mismatch.
Page | Screenshot |
---|---|
Vuln. page | |
Vuln. details |
What is the expected correct behavior?
The dates on both pages match.
Page | Screenshot |
---|---|
Vuln. details |
Output of checks
Expand for output related to GitLab environment info
❯ bundle exec rake gitlab:env:info
System information
System:
Proxy: no
Current User: hacks4oats
Using RVM: no
Ruby Version: 3.2.3
Gem Version: 3.5.7
Bundler Version:2.5.7
Rake Version: 13.0.6
Redis Version: 7.0.14
Sidekiq Version:7.1.6
Go Version: go1.21.7 darwin/arm64
GitLab information
Version: 16.11.0-pre
Revision: 58d9a72b32f
Directory: /Users/hacks4oats/code/gitlab-development-kit/gitlab
DB Adapter: PostgreSQL
DB Version: 14.9
URL: https://gdk.test:3443
HTTP Clone URL: https://gdk.test:3443/some-group/some-project.git
SSH Clone URL: ssh://git@gdk.test:2222/some-group/some-project.git
Elasticsearch: no
Geo: no
Using LDAP: no
Using Omniauth: yes
Omniauth Providers: google_oauth2
GitLab Shell
Version: 14.34.0
Repository storages:
- default: unix:/Users/hacks4oats/code/gitlab-development-kit/praefect.socket
GitLab Shell path: /Users/hacks4oats/code/gitlab-development-kit/gitlab-shell
Gitaly
- default Address: unix:/Users/hacks4oats/code/gitlab-development-kit/praefect.socket
- default Version: 16.10.0-rc1-157-g6abde2303
- default Git Version: 2.43.2
Possible fixes
Update the Vulnerability Page so that it pulls in the detected date from the vulnerability creation instead of the pipeline creation.
The following changes would make vulnerability details aligned with vulnerability reports logic:
diff --git a/ee/app/assets/javascripts/vulnerabilities/components/status_description.vue b/ee/app/assets/javascripts/vulnerabilities/components/status_description.vue
index c5833ae71f9b..f748435b95ae 100644
--- a/ee/app/assets/javascripts/vulnerabilities/components/status_description.vue
+++ b/ee/app/assets/javascripts/vulnerabilities/components/status_description.vue
@@ -55,16 +55,14 @@ export default {
},
time() {
- return this.state === 'detected'
- ? this.vulnerability.pipeline?.createdAt
- : this.vulnerability[`${this.state}At`];
+ return this.vulnerability[`${this.state}At`];
},
statusText() {
switch (this.state) {
case 'detected':
return s__(
- 'VulnerabilityManagement|%{statusStart}Detected%{statusEnd} · %{timeago} in pipeline %{pipelineLink}',
+ 'VulnerabilityManagement|%{statusStart}Detected%{statusEnd} · %{timeago}',
);
case 'confirmed':
return s__(
diff --git a/ee/app/serializers/vulnerability_entity.rb b/ee/app/serializers/vulnerability_entity.rb
index 53c71501cca7..eaba5217c7ed 100644
--- a/ee/app/serializers/vulnerability_entity.rb
+++ b/ee/app/serializers/vulnerability_entity.rb
@@ -20,4 +20,5 @@ class VulnerabilityEntity < Grape::Entity
expose :state_transitions, using: Vulnerabilities::StateTransitionEntity
expose :issue_links, using: Vulnerabilities::IssueLinkEntity
expose :merge_request_links, using: Vulnerabilities::MergeRequestLinkEntity
+ expose :created_at, as: :detected_at
end