realaravinth/debian-mirror-gitlab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
debian-mirror-gitlab/doc/user/application_security/vulnerability_report/index.md
Pirate Praveen 26db65f672 New upstream version 13.10.3+ds1
2021-04-17 20:07:23 +05:30

6.7 KiB
Raw Blame History

type stage group info
reference, howto Secure Threat Insights To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments

Vulnerability Report (ULTIMATE)

The Vulnerability Report provides information about vulnerabilities from scans of the branch most recently merged into the default branch. It is available at the instance, group, and project level.

At all levels, the Vulnerability Report contains:

  • Totals of vulnerabilities per severity level.
  • Filters for common vulnerability attributes.
  • Details of each vulnerability, presented in tabular layout.

Vulnerability Report

Project-level Vulnerability Report

Introduced in GitLab 11.1.

The project-level Vulnerability Report also contains:

  • A time stamp showing when it was updated, including a link to the latest pipeline.
  • The number of failures that occurred in the most recent pipeline. Select the failure notification to view the Failed jobs tab of the pipeline's page.

To access the report, navigate to Security & Compliance > Vulnerability Report.

Vulnerability Report actions

From the Vulnerability Report you can:

Vulnerability Report filters

You can filter the vulnerabilities table by:

Filter Available options
Status Detected, Confirmed, Dismissed, Resolved.
Severity Critical, High, Medium, Low, Info, Unknown.
Scanner Available scanners.
Project For more details, see Project filter.
Activity For more details, see Activity filter.

Filter the list of vulnerabilities

To filter the list of vulnerabilities:

  1. Select a filter.
  2. Select values from the dropdown.
  3. Repeat the above steps for each desired filter.

The vulnerability table is applied immediately. The vulnerability severity totals are also updated.

The filters' criteria are combined to show only vulnerabilities matching all criteria. An exception to this behavior is the Activity filter. For more details about how it works, see Activity filter.

Project filter

The content of the Project filter depends on the current level:

Level Content of the Project filter
Instance level Only projects you've added to the instance-level Security Center.
Group level All projects in the group.
Project level Not applicable.

Activity filter

Introduced in GitLab 13.9

The Activity filter behaves differently from the other filters. The selected values form mutually exclusive sets to allow for precisely locating the desired vulnerability records. Additionally, not all options can be selected in combination.

Selection behavior when using the Activity filter:

Activity selection Results displayed
All Vulnerabilities with any Activity status (same as ignoring this filter). Selecting this will deselect any other Activity filter options.
No activity Only vulnerabilities without either an associated Issue or that are no longer detected. Selecting this will deselect any other Activity filter options.
With issues Only vulnerabilities with one or more associated issues. Does not include vulnerabilities that also are no longer detected.
No longer detected Only vulnerabilities that are no longer detected in the latest pipeline scan of the default branch. Does not include vulnerabilities with one or more associated issues.
With issues and No longer detected Only vulnerabilities that have one or more associated issues and also are no longer detected in the latest pipeline scan of the default branch.

View details of a vulnerability

To view more details of a vulnerability, select the vulnerability's Description. The vulnerability's details page is opened.

View issues raised for a vulnerability

The Activity column indicates the number of issues that have been created for the vulnerability. Hover over an Activity entry and select a link go to that issue.

Display attached issues

Change status of vulnerabilities

To change the status of vulnerabilities in the table:

  1. Select the checkbox for each vulnerability you want to update the status of.
  2. In the dropdown that appears select the desired status, then select Change status.

Project Vulnerability Report

Export vulnerability details

  • Introduced in the Security Center (previously known as the Instance Security Dashboard) and project-level Vulnerability Report (previously known as the Project Security Dashboard) in GitLab Ultimate 13.0.
  • Added to the group-level Vulnerability Report in GitLab Ultimate 13.1.

You can export details of the vulnerabilities listed in the Vulnerability Report. The export format is CSV (comma separated values). Note that all vulnerabilities are included because filters don't apply to the export.

Fields included are:

  • Group name
  • Project name
  • Scanner type
  • Scanner name
  • Status
  • Vulnerability
  • Details
  • Additional information
  • Severity
  • CVE (Common Vulnerabilities and Exposures)
  • CWE (Common Weakness Enumeration)
  • Other identifiers

Export details in CSV format

To export details of all vulnerabilities listed in the Vulnerability Report, select Export.

The details are retrieved from the database, then the CSV file is downloaded to your local computer.

NOTE: It may take several minutes for the download to start if your project contains thousands of vulnerabilities. Don't close the page until the download finishes.