Incorrect vulnerabilities over time count for Dependency and Container Scanning vulnerabilities

Summary

The counts per severity and the counts of the last day of the vulnerabilities over time chart don't match for the Dependency Scanning and Container Scanning vulnerabilities in gitlab-org group's new security dashboard.

Analysis

The counts per severity (which is a static current count) use resolved_on_default_branch to exclude no longer detected vulnerabilities from the counts. The vulnerabilities over time chart (count per day) uses the last DetectionTransition record instead because those contain a timestamp.

Normally the boolean resolved_on_default_branch field should be the inverse of the detected boolean field of the latest Detection transition. This does not always seems to be the case for Dependency Scanning and Container Scanning vulnerabilities.

In mark_as_resolved_service.rb#L46-50 we see that Dependency Scanning and Container Scanning vulnerabilities are handled differently. Since the counts are lower for the vulnerabilities over time, it's likely that we're failing to properly create a DetectionTransition record with detected: true when re-detecting (some of) those vulnerabilities.

Screenshots

gitlab-org only dependency scanning: counts don't match

Screenshot_2026-02-13_at_17.21.58

gitlab-org only container scanning: counts don't match

Screenshot_2026-02-13_at_17.22.16

gitlab-org container scanning and dependency scanning excluded: counts match

Screenshot_2026-02-16_at_13.49.41

Edited by Lorenz van Herwaarden