Skip to content

Dependencies persist when supported files are removed

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Generated by duo

Summary

Dependency scanning vulnerabilities persist for deleted files when the dependency scanning job stops running due to the removal of supported language files.

Problem Description

When projects remove all files for a specific technology stack (e.g., Python files), the dependency scanning job no longer runs because it uses exists rules to determine when to execute. This prevents the security ingestion process from running, which means:

  1. No empty dependency scanning report is generated
  2. The vulnerability closure process doesn't run
  3. Existing vulnerabilities from the deleted files remain active
  4. New vulnerabilities can still be created against non-existent files when new CVE advisories are published

Current Behavior

  • Dependency scanning template only runs when supported files exist
  • When files are removed, the job doesn't execute
  • Vulnerabilities from deleted files remain in the project
  • Auto-resolve policies cannot clean up these stale vulnerabilities

Expected Behavior

  • When dependency files are removed, the job should still run.
  • Vulnerabilities associated with deleted files should be marked as "no longer detected"
  • Auto-resolve policies should be able to clean up these vulnerabilities

Proposed Solution

Modify the dependency scanning template to use changes rules in addition to exists rules, so that file removal triggers the job to run and produce an empty result set.

Modify the analyzer to pull list of supported scannable files changed between CI_COMMIT_BEFORE_SHA and CI_COMMIT_SHA (both are predefined variables). If they have been removed generate an empty cyclonedx report.

Impact

  • Creates noise in vulnerability management
  • Requires manual sorting to identify which vulnerabilities are real
  • Affects projects that change their technology stack
  • Can lead to false positive vulnerability counts

This issue affects customers using vulnerability management policies with auto-resolve for "no longer detected" vulnerabilities.

Sources: RFH - SBoM creating new vulnerabilities from deleted files

Give feedback to improve this answer.

Edited by Igor Frenkel