[Functional Requirements] AI False-Positive (FP) Filter
Problem
Formalise the functional requirements and the GraphQL schema for the Vulnerabilities AI false-positive (FP) filters.
GraphQL Schema
| Argument name | Values |
|---|---|
falsePositive |
true / false |
Schema Values
| Value | Meaning |
|---|---|
true |
Show potential false positives: detected_as_fp |
false |
Hide potential and likely false positives: not detected_as_fp |
-
❄️ GraphQL schema approved and frozen (argument name and values)
Filter Requirements
- backend Include only findings explicitly flagged as false positives (
false_positive == true) - backend Include only findings with a confidence score greater or equal to 0.6 (60%) (
detected_as_fp) - frontend Filter selection is mutually exclusive
- frontend Filter appears in the Gitlab Duo FP detection section, in the Activity dropdown.
UI Design
Test project
Feature flag
ai_experiment_sast_fp_detection
Questions
Does the backend need to handle a “likely false positive” classification?
If yes, what confidence score range represents this state? ✅
Confidence score ranges
The confidence scores currently fall into the following ranges:
- 0–59% — Not a false positive
- 60–79% — Possible false positive
- 80–100% — Likely false positive
flagStatus.status values
The flagStatus.status field currently supports the following values:
NOT_STARTEDIN_PROGRESSDETECTED_AS_FPDETECTED_AS_NOT_FPFAILED
see #585703 (comment 3000299851).
Note: final state of DETECTED_AS_FP or DETECTED_AS_NOT_FP could be used if you are looking for a quick filter. #585703 (comment 3000432434)
Interpretation
This translates to the following behaviour:
- Show potential false positives: confidence score ≥ 60%
- Hide potential and likely false positives: confidence score < 60%
Are non-SAST findings excluded by default? ✅
The false positive filter should not take report types into account. It should return all records regardless of their report type.
In practice, the false positive flag is only assigned to SAST vulnerabilities, so the filter will return SAST-only vulnerabilities by design. However, this behaviour should not be hardcoded in the backend. #585703 (comment 3002029361)
Since only one value can be selected under the GitLab Duo (AI) section, should the false positive filter be moved to a different section, or is it acceptable to keep it there with that limitation? ✅
Yes, let's move it in a dedicated section(#585703 (comment 3009456313))
