Non-DAST results displaying when DAST is selected from Scanner filter on Vulnerability Report
Summary
As reported here, the Scanner filter is sometimes (not always) showing incorrect results when the DAST
option is selected from the dropdown. Non-DAST scan results appear in the vulnerability report as pictured here:
Steps to reproduce
Example Project
NOTE: this does not happen on https://gitlab.com/gitlab-org/gitlab/-/security/vulnerability_report/?scanner=GitLab.DAST
What is the current bug behavior?
After selecting only DAST from the Scanner filter dropdown, SAST results are also displaying in the vulnerability report results.
What is the expected correct behavior?
After selecting only DAST from the Scanner filter dropdown, only DAST results should display in the vulnerability report results.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
When there are no scanner IDs for a scanner category, the filter is { scannerId: [] }
. However, this is interpreted by the backend as "don't filter by scanner ID". When a category with no scanner IDs is selected, we need to send a filter that will return no results. The GraphQL query expects a VulnerabilitiesScannerID
, which has to match the pattern gid://gitlab/Vulnerabilities::Scanner/${SOME_ID}
, so one possible solution is to send { scannerId: "gid://gitlab/Vulnerabilities::Scanner/null" }
.