Skip to content

API to delete vulnerabilities in bulk

Why are we doing this work

We regularly receive requests from customers asking how to "reset" the vulnerabilities in their projects.

In the past we have provided console scripts (example) to perform this task. These scripts are meant for one-off usage, and they stop working once an incompatible change is made to the Category:Vulnerability Management models.

In Provide way to mass delete vulnerabilities from... (#325888), we have a proposal for a feature that provides a UI to delete vulnerabilities. Until we can prioritize that feature, we'd like to create a boring solution continues to work after changes to the models.

The partial solution could be a rake task or a GraphQL API. For a rake task, administrative rights is implied. For GraphQL, the user should have Ownership permission on the affected groups/projects.

Specification

  1. The input must accept a list of target projects. If not provided, the task aborts.
  2. The input must accept a list of target report types. If none provided, all report types are targeted.
  3. The input may rely on a service to perform its job.
  4. The functionality must be covered by tests so that it continues to work whenever the models change.
  5. A dry-run option to check the result of the script before execution.

Bonus (Possibly in Followup(s))

  1. Flag to clear entire GitLab database of vulnerability database (with due warnings)
  2. Ability to only clear vulnerability information from before a certain date.
  3. Automatically detect future Vulnerability Models in a test so that they're flagged to be added to this script. (Ideally this should not annoy all GitLab team members to achieve. Some form of GitLab automation that create and issue periodically as needed could be good.)

Implementation plan

  • Implement a new GraphQL mutation that accepts arguments based on the above specification to initiate the cleanup
  • The cleanup logic should be running on the background job
  • The cleanup job should be deduplicated
  • The cleanup logic should log enough information to make it easier to debug
  • Ensure that the cleanup logic is fully covered by tests to ensure the functionality won't break as we change our models.

Verification steps

Edited by Thiago Figueiró