Implement displaying of false positive detection badges in Vulnerability report
What does this MR do and why?
This MR replaces legacy false positive badges with new ones, based on Duo workflow agents for Vulnerability reports
Note: this MR does not affect security findings inside of MR / it is subject of another MR
References
Screenshots or screen recordings
How to set up and validate locally
- Ensure that you have gitlab runner set up in your GDK https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/runner.md
- Copy the project to your GDK (replace
gdk.testwith your GDK domain andgitlab-duo/demo-sastwith desired project path in your GDK)
cd /tmp # just to be nice
git clone git@gitlab.com:compliance-group-testing-and-demos/demos/test-sast.git
cd test-sast
git push --all ssh://git@gdk.test:2222/gitlab-duo/demo-sast.git -omerge_request.create- Verify that your project
gitlab-duo/demo-sastwas created and has 1 merge request - Wait for all pipelines to finish (you can verify this with
Build > Pipelines - Verify that you have list of vulnerabilities in
Secure > Vulnerability report - Run
rails console - Enable feature flag by running
Feature.enable(:ai_experiment_sast_fp_detection)- Seed vulnerability flags (fp detection) by running script (do not forget to replace
project_full_path)
project_full_path = 'gitlab-duo/demo-sast-2'
project_full_path = 'gitlab-duo/demo-sast-2' # Replace with the actual full path string like "group/project"
project = Project.find_by_full_path(project_full_path)
if project.nil?
puts "Error: No project found with full path '#{project_full_path}'"
exit
end
vulnerabilities = Vulnerability.where(project_id: project.id)
flags_created_or_updated = 0
# Generate a long description of ~20 lines
def generate_long_description
[
"Summary of findings:",
"This alert has been analyzed by our automated system and appears to be a false positive.",
"The code pattern matches known safe implementations and does not expose the application to security risks.",
"",
"Technical details:",
"- Pattern identification: The code pattern follows industry best practices",
"- Security context: The function runs in a controlled environment with proper input validation",
"- Risk assessment: Low risk due to multiple layers of protection",
"- Mitigation measures: Already present in the codebase",
"",
"Additional notes:",
"This finding has been automatically classified based on historical data and code pattern analysis.",
"The confidence score indicates the likelihood of this being a false positive.",
"Please review the code carefully before dismissing this alert permanently.",
"",
"Automatically generated at #{Time.current.strftime('%Y-%m-%d %H:%M:%S')}",
"Detection algorithm version: 1.2.3",
"Analysis ID: #{SecureRandom.uuid}"
].join("\n")
end
vulnerabilities.each do |vulnerability|
# Determine if we should create/update a flag (50% chance)
random_value = rand
# Only proceed if random value > 0.5
if random_value > 0.5
finding = vulnerability.vulnerability_finding
existing_flag = finding.vulnerability_flags.find_by(flag_type: :false_positive)
status = :detected_as_fp
confidence_score = rand(0.51..1.0).round(2) # Between 0.51 and 1.0
description = generate_long_description
if existing_flag
existing_flag.update!(
status: status,
confidence_score: confidence_score,
description: description
)
else
finding.vulnerability_flags.create!(
flag_type: :false_positive,
status: status,
confidence_score: confidence_score,
origin: 'console_script',
description: description
)
end
flags_created_or_updated += 1
end
end
puts "Completed processing #{vulnerabilities.count} vulnerabilities, created/updated #{flags_created_or_updated} flags"
(verify that the output is Completed processing 10 vulnerabilities)
- Verify functionality
- Badges in
Secure > Vulnerabilities report - Popover
- Vulnerabilities details
- Badges in
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #568000
Edited by Illya Klymov