Skip to content

Vulnerabilities do not stay Dismissed

Summary

Marking a vulnerability as Dismissed and then running a new pipeline that detects the same vulnerability will mark it as Needs Triage again; there is no system note for the status change.

Steps to reproduce

  1. Run a pipeline that creates a vulnerability
  2. Mark it as Dismissed
  3. Run a new pipeline
  4. Check the vulnerability state

Example Project

https://gitlab.com/duncan_harris_ultimate_group/duncan/container-scanning/-/security/vulnerabilities/93612515

I can invite to the project so my case can be reviewed.

What is the current bug behavior?

Vulnerability does not retain state as expected.

What is the expected correct behavior?

Vulnerability should remain in Dismissed state unless something like #416409 (closed) happens.

Relevant logs and/or screenshots

N/A

Output of checks

This bug happens on GitLab.com

GitLab Enterprise Edition 16.5.0-pre 8a24f20af90

Possible fixes