Is there a way to "reset" the Vulnerability Report in GitLab 'Security & Compliance'?

DevSecOps
1

We are using various scanners (SAST, Dependency, License, etc) and trying to come up with a sustainable way of keeping the various findings mitigated. We have a repo that has over 5000 findings, and there are so many of them that it would be MUCH easier to just reset it. Is there a way to do this?

The problem (we think) with just dismissing them all and waiting for the scanner to find the problems again, is that if we dismiss, for example, an “Object Injection Sink” vulnerability detected on line 46 of myjavascriptfile.js… then the tool seems to remember not to find that one again, and what we want is to wipe the memory of the vulnerability report itself, so that it will be starting from a completely blank slate, and it will again detect the OIS vulnerability on line 46 of myjavascriptfile.js. Otherwise we have to wait for every line of our repo to change (such as some code is added to myjavascriptfile.js so that the code triggering the OIS detection moves to line 47). Does that distinction make sense?

Any insight is appreciated. Thanks!

2

I got a response via another channel so I wanted to follow-up to my post above with one solution:
Marking a vulnerability as “Resolved” will apparently have the desired effect, while marking it as “Dismissed” leads to the perma-dismissed-until-line-number-changes effect. Here is the quote from a technical resource:

A resolved vulnerability record will get re-created as a new vulnerability, even if in the exact location, if the offending code still exists in new branches. As you pointed out, dismissing doesn’t have this behavior because dismissal acknowledges the vulnerability can be ignored and likely will remain in the code.

3

An enhancement request here would be to create a status other than ‘Resolved’ which is a bit misleading since nothing was Resolved – it could function exactly the same way, but would be a way for those who come later to understand that a re-scan was requested for the finding, instead of any code change in the repo that actually resolved it.