GraphQL API: vulnerability falsePositive field remains false when dismissalReason is FALSE_POSITIVE

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

When a vulnerability is dismissed as a false positive through the GitLab UI, the GraphQL API correctly updates the dismissalReason field to FALSE_POSITIVE but fails to set the falsePositive boolean field to true.

Steps to reproduce

  1. Create a project with code containing security vulnerabilities
  2. Add a .gitlab-ci.yml that enables SAST scanning
  3. Run a pipeline to detect the vulnerabilities
  4. Navigate to Security → Vulnerability Report
  5. Select a vulnerability and dismiss it with reason "False positive"
  6. Access the GraphQL API to check the vulnerability data
  7. Observe that while dismissalReason shows FALSE_POSITIVE, the falsePositive field remains false

Example Project

Reproduced in https://gitlab.com/tw-test-bed/vuln-dismissal

What is the current bug behavior?

When querying the GraphQL API for a vulnerability dismissed as a false positive, the dismissalReason field correctly shows FALSE_POSITIVE, but the falsePositive boolean field remains false instead of changing to true.

What is the expected correct behavior?

When a vulnerability is dismissed with reason "False positive", both the dismissalReason field should be set to FALSE_POSITIVE AND the falsePositive boolean field should be set to true.

Relevant logs and/or screenshots

GraphQL query used to list detected vulnerabilities:

query {
  project(fullPath: "tw-test-bed/vuln-dismissal") {
    vulnerabilities {
      nodes {
        id
        title
        description
        state
        severity
        dismissalReason
        falsePositive
        dismissedAt
        dismissedBy {
          name
          username
        }
      }
    }
  }
}

Excerpt of output:

            "state": "DISMISSED",
            "severity": "HIGH",
            "dismissalReason": "FALSE_POSITIVE",
            "falsePositive": false,
            "dismissedAt": "2025-03-12T17:30:40Z",
            "dismissedBy": {
              "name": "Tristan",
              "username": "tristan"
            }
          },
          {
            "id": "gid://gitlab/Vulnerability/168737772",
            "title": "Improper neutralization of special elements used in an SQL Command ('SQL Injection')",

Output of checks

This bug happens on GitLab.com

Edited by 🤖 GitLab Bot 🤖