Vulnerabilities are not transitioning into resolved from marked as resolved
Summary
Security report ingestion is not updating the "Security reports last updated" timestamp in the Vulnerability Report UI when pipelines complete successfully on the default branch. This prevents the Vulnerability Auto-Resolution policy from processing vulnerabilities marked as "no longer detected" and transitioning them to "Resolved" state.
Technical Details:
When a pipeline runs on the default branch with successful container scanning jobs that generate and upload security artifacts (gl-container-scanning-report.json, gl-sbom-report.cdx.json), the following issues occur:
- The "Security reports last updated" timestamp in the Vulnerability Report UI remains stale and does not update to reflect the most recent pipeline execution
- Vulnerabilities marked as "no longer detected" in the latest scan do not transition to "Resolved" status
- The Vulnerability Auto-Resolution policy fails to process these vulnerabilities because it relies on the ingested report state
Investigation Findings:
- No failed
StoreScansWorkerorSecurity::Scans::IngestReportsWorkerjobs found in logs for affected projects - Artifacts are successfully uploaded (HTTP 201 responses confirmed)
- The 1000 vulnerabilities per pipeline auto-resolve limit is working as designed
- A possible bug exists where the "Security reports last updated" timestamp doesn't update even when ingestion succeeds
- Issue may be related to projects with very large vulnerability counts (50k+) and mixed scanning job configurations (both CI/CD config jobs and scan execution policy injected jobs)
Current Workaround:
Manual resolution via UI (filter by "Activity: No longer detected" and "Status: Needs triage", bulk select and change status to "Resolved") or GraphQL API mutations.
Expected Behavior:
Upon successful pipeline completion on the default branch:
- Security artifacts should be ingested immediately
- The "Security reports last updated" timestamp should update to reflect the recent scan
- The Auto-Resolution policy should process updated findings and resolve vulnerabilities marked as "no longer detected" (up to the 1000 per pipeline limit)
Related Issues:
- Similar behavior reported in https://gitlab.com/gitlab-com/request-for-help/-/work_items/3760
- Fixed in 18.4: #548580 (closed) (vulnerabilities already "no longer detected" not being resolved)