Vulnerabilities reported in the pipeline do not show on the security dashboards
Summary
When a pipeline on the default branch fails but the security jobs pass, it still reports the vulnerabilities in the pipeline view and persists them in the database as occurrences. However, when we fetch vulnerabilities to display them on the dashboard, we fetch them from the latest successful default branch pipeline.
This leads to confusion, since people see that the latest default branch pipeline reports different vulnerabilities than the dashboards.
Steps to reproduce
- Create a new project. You can clone https://gitlab.com/auto-devops-examples/minimal-ruby-app for simplicity. (You don't have to use a new project, but it makes it easier to see the bug.)
- Configure a project's default branch CI with at least one security scan and with one job (for example, a deploy job) that has an error so the pipeline will fail.
- Run the pipeline.
- See the vulnerabilities reported in the pipeline security report.
- Go the project's security dashboard.
- See that the vulnerabilities do not appear on the dashboard.
Example Project
https://gitlab.com/avielle/minimal-ruby-app
What is the current bug behavior?
Vulnerabilities reported by a failed default branch pipeline do not show up on the security dashboards.
What is the expected correct behavior?
TBD
Output of checks
This bug happens on GitLab.com
Possible fixes
We use the Vulnerable concern to fetch vulnerabilities for the dashboard. It fetches them from the latest successful default branch pipeline.
However, when we store them in the database, we do so regardless of whether the pipeline was successful.