How do we manage scanner/analyzer updates that change what a vulnerability looks like?
Problem to solve
Because we leverage open-source analyzers, there are times when they make changes which cause us to think a vulnerability is new, even though it has been identified with a previous version of the analyzer.
This means that users will potentially have to dismiss vulns again even though they've dismissed them already before. It also means that metrics will be incorrect if the same vulnerability is included multiple times in a project.
An example of this is in https://gitlab.com/gitlab-org/gitlab-ee/issues/12950#note_207142289
Further details
This issue is to discuss a long term strategy for how to manage when our underlying analyzers change their output and how we can minimize the impact that has to users.
Some thoughts:
- Does using first-class vulns and tracking the scanner version help here?
- Can we extract the type of vuln from the analyzer then if that same location has a dismessed vuln of that type, auto-dismiss?
Proposal
TBD