2020-04-22 19:07:51 +05:30
---
2020-06-23 00:09:42 +05:30
stage: Secure
2020-07-28 23:09:34 +05:30
group: Threat Insights
2021-02-22 17:27:13 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2020-04-22 19:07:51 +05:30
---
2021-03-11 19:13:27 +05:30
# Vulnerability Pages **(ULTIMATE)**
2020-04-22 19:07:51 +05:30
2021-12-11 22:18:48 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/13561) in GitLab 13.0.
2020-04-22 19:07:51 +05:30
2021-09-04 01:27:46 +05:30
Each vulnerability in a project has a Vulnerability Page. This page contains details of the
vulnerability. The details included vary according to the type of vulnerability. Details of each
vulnerability include:
2020-04-22 19:07:51 +05:30
2021-09-04 01:27:46 +05:30
- Description
- When it was detected
- Current status
- Available actions
- Linked issues
- Actions log
2020-04-22 19:07:51 +05:30
2021-12-11 22:18:48 +05:30
In GitLab 14.3 and later, if the scanner determined the vulnerability to be a false positive, an
alert message is included at the top of the vulnerability's page.
2021-03-11 19:13:27 +05:30
On the vulnerability's page, you can:
2020-04-22 19:07:51 +05:30
2021-03-11 19:13:27 +05:30
- [Change the vulnerability's status ](#change-vulnerability-status ).
2021-04-17 20:07:23 +05:30
- [Create an issue ](#create-an-issue-for-a-vulnerability ).
2021-09-04 01:27:46 +05:30
- [Link issues to the vulnerability ](#linked-issues ).
- [Resolve a vulnerability ](#resolve-a-vulnerability ), if a solution is
2021-06-08 01:23:25 +05:30
available.
2020-04-22 19:07:51 +05:30
2021-09-04 01:27:46 +05:30
## Vulnerability status values
A vulnerability's status can be one of the following:
2020-04-22 19:07:51 +05:30
2021-09-04 01:27:46 +05:30
| Status | Description |
|:----------|:------------|
2022-03-02 08:16:31 +05:30
| Detected | The default state for a newly discovered vulnerability. Appears as "Needs triage" in the UI. |
2021-09-04 01:27:46 +05:30
| Confirmed | A user has seen this vulnerability and confirmed it to be accurate. |
| Dismissed | A user has seen this vulnerability and dismissed it because it is not accurate or otherwise not to be resolved. |
2021-11-11 11:23:49 +05:30
| Resolved | The vulnerability has been fixed or is no longer present. |
Dismissed vulnerabilities are ignored if detected in subsequent scans. Resolved vulnerabilities that are reintroduced and detected by subsequent scans have a _new_ vulnerability record created. When an existing vulnerability is no longer detected in a project's `default` branch, you should change its status to Resolved. This ensures that if it is accidentally reintroduced in a future merge, it will be visible again as a new record. You can use the [Activity filter ](../vulnerability_report/#activity-filter ) to select all vulnerabilities that are no longer detected, and [change their status ](../vulnerability_report#change-status-of-multiple-vulnerabilities ).
2020-04-22 19:07:51 +05:30
2021-09-04 01:27:46 +05:30
## Change vulnerability status
2020-04-22 19:07:51 +05:30
2021-09-04 01:27:46 +05:30
To change a vulnerability's status, select a new value from the **Status** dropdown then select
**Change status**. Optionally, add a comment to the log entry at the bottom of the page.
2021-01-03 14:25:43 +05:30
2021-04-17 20:07:23 +05:30
## Create an issue for a vulnerability
From a vulnerability's page you can create an issue to track all action taken to resolve or
mitigate it.
2021-09-04 01:27:46 +05:30
You can create either:
2021-04-17 20:07:23 +05:30
- [A GitLab issue ](#create-a-gitlab-issue-for-a-vulnerability ) (default).
- [A Jira issue ](#create-a-jira-issue-for-a-vulnerability ).
Creating a Jira issue requires that
2021-04-29 21:17:54 +05:30
[Jira integration ](../../../integration/jira/index.md ) is enabled on the project. Note
2021-04-17 20:07:23 +05:30
that when Jira integration is enabled, the GitLab issue feature is not available.
### Create a GitLab issue for a vulnerability
2020-04-22 19:07:51 +05:30
2021-03-11 19:13:27 +05:30
To create a GitLab issue for a vulnerability:
2020-04-22 19:07:51 +05:30
2021-03-11 19:13:27 +05:30
1. In GitLab, go to the vulnerability's page.
1. Select **Create issue** .
2020-04-22 19:07:51 +05:30
2021-06-08 01:23:25 +05:30
An issue is created in the project, pre-populated with information from the vulnerability report.
2021-03-11 19:13:27 +05:30
The issue is then opened so you can take further action.
2021-01-03 14:25:43 +05:30
2021-04-17 20:07:23 +05:30
### Create a Jira issue for a vulnerability
2021-03-11 19:13:27 +05:30
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4677) in GitLab 13.9.
2021-09-04 01:27:46 +05:30
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/283850) in GitLab 13.12.
2021-03-11 19:13:27 +05:30
Prerequisites:
2021-10-27 15:23:28 +05:30
- [Enable Jira integration ](../../../integration/jira/index.md ).
2021-04-17 20:07:23 +05:30
The **Enable Jira issues creation from vulnerabilities** option must be selected as part of the configuration.
- Each user must have a personal Jira user account with permission to create issues in the target project.
2021-03-11 19:13:27 +05:30
To create a Jira issue for a vulnerability:
1. Go to the vulnerability's page.
1. Select **Create Jira issue** .
2021-04-17 20:07:23 +05:30
1. If you're not already logged in to Jira, log in.
2021-03-11 19:13:27 +05:30
2021-04-17 20:07:23 +05:30
The Jira issue is created and opened in a new browser tab. The **Summary** and **Description**
fields are pre-populated from the vulnerability's details.
2021-03-11 19:13:27 +05:30
2021-09-04 01:27:46 +05:30
Unlike GitLab issues, the status of whether a Jira issue is open or closed does not display in the GitLab user interface.
2021-03-11 19:13:27 +05:30
2021-09-04 01:27:46 +05:30
## Linked issues
2021-03-11 19:13:27 +05:30
NOTE:
If Jira issue support is enabled, GitLab issues are disabled so this feature is not available.
2021-09-04 01:27:46 +05:30
You can link one or more existing GitLab issues to a vulnerability. Adding a link helps track
the issue that resolves or mitigates a vulnerability.
2021-03-11 19:13:27 +05:30
2021-09-04 01:27:46 +05:30
Issues linked to a vulnerability are shown in the Vulnerability Report and the vulnerability's page.
2020-04-22 19:07:51 +05:30
2021-09-04 01:27:46 +05:30
Be aware of the following conditions between a vulnerability and a linked issue:
2021-06-08 01:23:25 +05:30
- The vulnerability page shows related issues, but the issue page doesn't show the vulnerability it's related to.
- An issue can only be related to one vulnerability at a time.
- Issues can be linked across groups and projects.
2021-09-04 01:27:46 +05:30
## Link to existing issues
To link a vulnerability to existing issues:
1. Go to the vulnerability's page.
1. In the **Linked issues** section, select the plus icon (**{plus}**).
1. For each issue to be linked, either:
- Paste a link to the issue.
- Enter the issue's ID (prefixed with a hash `#` ).
1. Select **Add** .
The selected issues are added to the **Linked issues** section, and the linked issues counter is updated.
## Resolve a vulnerability
2021-06-08 01:23:25 +05:30
2021-09-04 01:27:46 +05:30
For some vulnerabilities a solution is already known. In those instances, a vulnerability's page
includes a **Resolve with merge request** option.
2021-06-08 01:23:25 +05:30
2021-09-04 01:27:46 +05:30
To resolve a vulnerability, you can either:
2021-06-08 01:23:25 +05:30
2021-09-04 01:27:46 +05:30
- [Resolve a vulnerability with a merge request ](#resolve-a-vulnerability-with-a-merge-request ).
- [Resolve a vulnerability manually ](#resolve-a-vulnerability-manually ).
2021-06-08 01:23:25 +05:30
The following scanners are supported:
- [Dependency Scanning ](../dependency_scanning/index.md ).
Automatic Patch creation is only available for Node.js projects managed with
`yarn` .
- [Container Scanning ](../container_scanning/index.md ).
2021-09-04 01:27:46 +05:30
2021-06-08 01:23:25 +05:30
2021-09-04 01:27:46 +05:30
### Resolve a vulnerability with a merge request
To resolve the vulnerability with a merge request, go to the vulnerability's page and from the
**Resolve with merge request** dropdown select **Resolve with merge request** .
2021-06-08 01:23:25 +05:30
2021-09-04 01:27:46 +05:30
A merge request is created which applies the patch required to resolve the vulnerability.
Process the merge request according to your standard workflow.
2021-06-08 01:23:25 +05:30
2021-09-04 01:27:46 +05:30
### Resolve a vulnerability manually
2021-06-08 01:23:25 +05:30
2021-09-04 01:27:46 +05:30
To manually apply the patch that GitLab generated for a vulnerability:
1. Go to the vulnerability's page and from the **Resolve with merge request** dropdown select
**Download patch to resolve** .
2021-06-08 01:23:25 +05:30
1. Ensure your local project has the same commit checked out that was used to generate the patch.
1. Run `git apply remediation.patch` .
1. Verify and commit the changes to your branch.
