Vulnerability statistics flaw in security report ingestion
Summary
I just noticed a flaw in the vulnerability statistics calculation in security report ingestion logic.
The calculated statistics are not correct when the ingestion logic automatically sets the state of a "resolved" vulnerability to "detected".
Steps to reproduce
- Mark a vulnerability as resolved
- Run the pipeline to ingest the security reports again
- Make sure the vulnerability state is automatically set as "detected" again
- Check the
vulnerability_statistics
record for the project
Example Project
What is the current bug behavior?
What is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Edited by Mehmet Emin INAC