All vulnerability states selection in scan result policies should only include "all newly detected vulnerability states"
Summary
Selecting a scan result policy that filters on New Vulnerabilities only seems to actually look for all vulnerabilities regardless of state (including pre-existing ones).
Steps to reproduce
- Create a new scan result policy
- Select "New" and "All vulnerability states"
- Observe if pre-existing vulnerabilities are detected as new (but shouldn't be)
Example Project
What is the current bug behavior?
Pre-existing vulnerabilities are considered in [ ]
but shouldn't be.
What is the expected correct behavior?
[ ]
should only include all "newly detected" states only. Pre-existing vulnerabilities detected should not be considered a violation when selecting "All vulnerability states" with the "New" selection.
Or, vulnerability_states: []
should be the same as vulnerability_states: ['newly_detected', 'new_needs_triage']
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: \\\`sudo gitlab-rake gitlab:env:info\\\`) (For installations from source run and paste the output of: \\\`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\\\`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of: \`sudo gitlab-rake gitlab:check SANITIZE=true\`) (For installations from source run and paste the output of: \`sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true\`) (we will only investigate if the tests are passing)
Possible fixes
Workarounds
Manually set the yaml file to define the states explicitly, along with setting it to "newly detected".
Edited by Grant Hickman