Anti-flipping safeguard for vulnerability management policies
Summary
When a vulnerability appears in scan results inconsistently, it can continually transition between detected and resolved states. This can cause these problems:
- Unclear vulnerability status
- Continual growth of
notesandvulnerability_state_transitionsrecords, which will eventually cause performance and storage problems
We should implement "anti-flipping" safeguards to mitigate this problem. After a vulnerability has automatically transitioned between detected and resolved a certain number of times, we should flag that vulnerability as problematic (when I worked at WhiteHat Security, such vulnerabilities were called "flappers"). If a vulnerability has been flagged as problematic then it should be ignored by any further automatic status changes, and should be marked by an indicator in the UI. This will allow someone to manually review, set the correct status, and correct the projects pipeline configuration if necessary.