Vulnerabilities are not transitioning into resolved from marked as resolved

Summary

Security report ingestion is not updating the "Security reports last updated" timestamp in the Vulnerability Report UI when pipelines complete successfully on the default branch. This prevents the Vulnerability Auto-Resolution policy from processing vulnerabilities marked as "no longer detected" and transitioning them to "Resolved" state.

Technical Details:

When a pipeline runs on the default branch with successful container scanning jobs that generate and upload security artifacts (gl-container-scanning-report.json, gl-sbom-report.cdx.json), the following issues occur:

  1. The "Security reports last updated" timestamp in the Vulnerability Report UI remains stale and does not update to reflect the most recent pipeline execution
  2. Vulnerabilities marked as "no longer detected" in the latest scan do not transition to "Resolved" status
  3. The Vulnerability Auto-Resolution policy fails to process these vulnerabilities because it relies on the ingested report state

Investigation Findings:

  • No failed StoreScansWorker or Security::Scans::IngestReportsWorker jobs found in logs for affected projects
  • Artifacts are successfully uploaded (HTTP 201 responses confirmed)
  • The 1000 vulnerabilities per pipeline auto-resolve limit is working as designed
  • A possible bug exists where the "Security reports last updated" timestamp doesn't update even when ingestion succeeds
  • Issue may be related to projects with very large vulnerability counts (50k+) and mixed scanning job configurations (both CI/CD config jobs and scan execution policy injected jobs)

Current Workaround:

Manual resolution via UI (filter by "Activity: No longer detected" and "Status: Needs triage", bulk select and change status to "Resolved") or GraphQL API mutations.

Expected Behavior:

Upon successful pipeline completion on the default branch:

  1. Security artifacts should be ingested immediately
  2. The "Security reports last updated" timestamp should update to reflect the recent scan
  3. The Auto-Resolution policy should process updated findings and resolve vulnerabilities marked as "no longer detected" (up to the 1000 per pipeline limit)

Related Issues:

Edited by 🤖 GitLab Bot 🤖