Encountering stale findings in project-level vulnerability reports
Issue
Project-level vulnerability reports continue to show vulnerability findings even after they have been resolved in code.
Environment
-
Static Application Security Testing (SAST) is enabled.
-
The vulnerability finding is reported by a security scanner that has reached end of support status.
-
Impacted offerings:
- GitLab Self-Managed
-
Impacted versions:
- GitLab 17.3.0 and earlier.
Cause
Vulnerability findings generated by security analyzers which have reached end of support status cannot be automatically updated as the analyzers are no longer in use.
Resolution
Upgrade to GitLab 17.3.1 or later.
After upgrading, a one-time data migration will automatically resolve findings from the analyzers that haved reached end of support.
Additional information
- The migration only resolves vulnerabilities that haven't been confirmed or dismissed.
- The migration does not affect vulnerabilities that were automatically translated to Semgrep-based scanning.
- The migration does not affect the SpotBugs analyzer as only its use for Java security scanning has reached end of support. SpotBugs continues to be used for Groovy and Scala security scanning.
Related links
- Docs: End of supported analyzers
- Issue 444926 - Details about the migration process