Skip to content

Referesh vulnerability_statistics following SAST Resolution of no-longer-detected vulnerability

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

In the vulnerability ingestion process, when a vulnerability is no longer detected, it should be automatically resolved if and only if there is a vulnerability management policy to do that.
However, it appears that this is not the case, and that vulnerabilities are automatically resolved even without the policy configured.
Furthermore, when such a vulnerability is automatically resolved, the vulnerability_statistics table isn't updated with the new decreased counter.

Steps to reproduce

  1. Create a new project.
  2. Make sure no policy is configured.
  3. Push a report with N vulnerabilities.
  4. See that there are N vulnerabilities in the vulnerability report page.
  5. See that the vulnerability_statistics table has a row with N vulnerabilities.
  6. Delete one vulnerability from the report and push it.
  7. See that there are still N vulnerabilities in the vulnerability report page, but now the one we deleted is resolved (it might take a refresh or two until this happens).
  8. See that the vulnerability_statistics table the counters weren't updated

Example Project

What is the current bug behavior?

  1. The vulnerability is auto-resolved even without a policy
  2. The counters aren't affected by the resolved vulnerability

What is the expected correct behavior?

  1. The vulnerability shouldn't be auto-resolved
  2. If it is, the counters should reflect this.

Relevant logs and/or screenshots

Screen_Recording_2025-04-03_at_11.09.25

Output of checks

This bug happens on GitLab.com
In my test, I showed it in a gdk project, but @gkatz1 and I noticed it in prod when verifying this issue.

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Update Vulnerabilities::MarkDroppedAsResolvedWorker to call Vulnerabilities::Statistics::AdjustmentWorker.perform_async([project.id])

Edited by 🤖 GitLab Bot 🤖