Troubleshooting - Vulnerability management policy is not auto resolving no longer detected vulnerabilities
Description
You might notice a discrepancy between the vulnerabilities shown in the Vulnerabilities Report page and those in your default branch pipeline security reports. Despite having configured a Vulnerability Management Policy, some vulnerabilities were marked as No longer detected but weren't being automatically resolved.
Impacted offerings:
- GitLab.com
- GitLab Dedicated
- GitLab Self-Managed
Impacted versions:
- GitLab 17.8 and above
Resolution
Run the scanner that detected the No longer detected vulnerability again in the default branch after the Vulnerability Management Policy is enabled.
For example, if the vulnerability was detected by Semgrep scanner and the project is now being scanned by GitLab Advanced SAST, you might want to temporarily add the following to the .gitlab-ci.yml file in the default branch. Then trigger the pipeline for the default branch.
include:
- template: Jobs/SAST.gitlab-ci.yml
semgrep-sast:
rules:
- when: alwaysCause
There are many vulnerability scanners to protect your repository codes. For example, GitLab SAST alone offers a variety of scanners. When a vulnerability is detected, it's reported with the scanner that detected the vulnerability. This can be viewed on the vulnerability detail page.
Sometime, when you switch scanners, the same vulnerabilities are reported again with a different scanner which would cause duplicated entries in the vulnerabilities report. For example, switching from Semgrep scanner to GitLab Advanced SAST.
Because each vulnerability is linked to the scanner. Without the latest report from the scanner showing that the vulnerability no longer exist, the Vulnerability Management Policy will not auto resolve the vulnerability.
Symptom
- Duplicate Vulnerability
- No longer detected vulnerabilities are not automatically resolved after enabling Vulnerability Management Policy
Additional Information
This is also the case for dependency scanning: if the vulnerability was detected by gemnasium-maven-dependency_scanning and you are now running gemnasium-dependency_scanning, the same issue applies.