doc/user/application_security/vulnerabilities/_index.md
{{< details >}}
{{< /details >}}
Each vulnerability in a project has a vulnerability page containing details of the vulnerability, including:
For vulnerabilities in the Common Vulnerabilities and Exposures (CVE) catalog, these details also include:
For further details on this additional data, see vulnerability risk assessment data.
If the scanner determined the vulnerability to be a false positive, an alert message is included at the top of the vulnerability's page.
For vulnerabilities detected by SAST, GitLab Duo can automatically analyze them and generate a merge request with context-aware code fixes. For more information, see Agentic SAST vulnerability resolution.
{{< details >}}
{{< /details >}}
{{< history >}}
duo_secret_detection_false_positive. Enabled on GitLab.com, GitLab Self-Managed, and GitLab Dedicated.{{< /history >}}
GitLab Duo automatically analyzes secret detection findings to identify potential false positives. Dismissing false positives reduces noise in your vulnerability report by flagging findings that are likely not actual security risks.
For each analyzed vulnerability, GitLab Duo provides the following information:
For more information, see secret false positive detection.
{{< details >}}
{{< /details >}}
{{< collapsible title="Model information" >}}
{{< /collapsible >}}
{{< history >}}
{{< /history >}}
Use GitLab Duo Vulnerability resolution to automatically create a merge request that
resolves the vulnerability. By default, it is powered by the Anthropic claude-3.5-sonnet model.
GitLab cannot guarantee that the large language model produces correct results. You should always review the proposed change before merging it. When reviewing, check that:
<i class="fa-youtube-play" aria-hidden="true"></i> Watch an overview
Prerequisites:
Learn more about how to enable all GitLab Duo features.
To resolve the vulnerability:
A merge request containing the AI remediation suggestions is opened. Review the suggested changes, then process the merge request according to your standard workflow.
Provide feedback on this feature in issue 476553.
To ensure that suggested resolutions are high-quality, Vulnerability Resolution is available for a specific set of vulnerabilities. The system decides whether to offer Vulnerability Resolution based on the vulnerability's Common Weakness Enumeration (CWE) identifier.
The current set of vulnerabilities are selected based on testing by automated systems and security experts. GitLab is actively working to expand coverage to more types of vulnerabilities.
<details><summary style="color:#5943b6; margin-top: 1em;"><a>View the complete list of supported CWEs for Vulnerability Resolution</a></summary> <ul> <li>CWE-23: Relative Path Traversal</li> <li>CWE-73: External Control of File Name or Path</li> <li>CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')</li> <li>CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)</li> <li>CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</li> <li>CWE-116: Improper Encoding or Escaping of Output</li> <li>CWE-118: Incorrect Access of Indexable Resource ('Range Error')</li> <li>CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer</li> <li>CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')</li> <li>CWE-126: Buffer Over-read</li> <li>CWE-190: Integer Overflow or Wraparound</li> <li>CWE-200: Exposure of Sensitive Information to an Unauthorized Actor</li> <li>CWE-208: Observable Timing Discrepancy</li> <li>CWE-209: Generation of Error Message Containing Sensitive Information</li> <li>CWE-272: Least Privilege Violation</li> <li>CWE-287: Improper Authentication</li> <li>CWE-295: Improper Certificate Validation</li> <li>CWE-297: Improper Validation of Certificate with Host Mismatch</li> <li>CWE-305: Authentication Bypass by Primary Weakness</li> <li>CWE-310: Cryptographic Issues</li> <li>CWE-311: Missing Encryption of Sensitive Data</li> <li>CWE-323: Reusing a Nonce, Key Pair in Encryption</li> <li>CWE-327: Use of a Broken or Risky Cryptographic Algorithm</li> <li>CWE-328: Use of Weak Hash</li> <li>CWE-330: Use of Insufficiently Random Values</li> <li>CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)</li> <li>CWE-345: Insufficient Verification of Data Authenticity</li> <li>CWE-346: Origin Validation Error</li> <li>CWE-352: Cross-Site Request Forgery</li> <li>CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')</li> <li>CWE-369: Divide By Zero</li> <li>CWE-377: Insecure Temporary File</li> <li>CWE-378: Creation of Temporary File With Insecure Permissions</li> <li>CWE-400: Uncontrolled Resource Consumption</li> <li>CWE-489: Active Debug Code</li> <li>CWE-521: Weak Password Requirements</li> <li>CWE-539: Use of Persistent Cookies Containing Sensitive Information</li> <li>CWE-599: Missing Validation of OpenSSL Certificate</li> <li>CWE-611: Improper Restriction of XML External Entity Reference</li> <li>CWE-676: Use of potentially dangerous function</li> <li>CWE-704: Incorrect Type Conversion or Cast</li> <li>CWE-754: Improper Check for Unusual or Exceptional Conditions</li> <li>CWE-770: Allocation of Resources Without Limits or Throttling</li> <li>CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag</li> <li>CWE-1275: Sensitive Cookie with Improper SameSite Attribute</li> </ul> </details>Vulnerability Resolution sometimes cannot generate a suggested fix. Common causes include:
an unexpected error has occurred, the upstream AI provider request timed out, something went wrong, or a similar cause.The following data is shared with third-party AI APIs:
{{< details >}}
{{< /details >}}
{{< history >}}
resolve_vulnerability_in_mr removed.{{< /history >}}
Use GitLab Duo Vulnerability resolution to automatically create a merge request suggestion comment that
resolves the vulnerability finding. By default, it is powered by the Anthropic claude-3.5-sonnet model.
To resolve the vulnerability finding:
A comment containing the AI remediation suggestions is opened in the merge request. Review the suggested changes, then apply the merge request suggestion according to your standard workflow.
Provide feedback on this feature in issue 476553.
Vulnerability Resolution in a merge request sometimes cannot generate a suggested fix. Common causes include:
an unexpected error has occurred, the upstream AI provider request timed out, something went wrong, or a similar cause.Resolution target could not be found in the merge request, unable to create suggestion error:
{{< details >}}
{{< /details >}}
For specific types of vulnerabilities, GitLab Advanced SAST provides code flow information. A vulnerability's code flow is the path the data takes from the user input (source) to the vulnerable line of code (sink), through all assignments, manipulation, and sanitization.
For details on how to view a vulnerability's code flow, see Vulnerability code flow.
A vulnerability's status can be:
A vulnerability typically goes through the following lifecycle:
%%{init: { "fontFamily": "GitLab Sans" }}%%
stateDiagram
accTitle: Vulnerability lifecycle
accDescr: Typical lifecycle of a vulnerability
direction LR
Needs_triage: Needs triage
[*] --> Needs_triage
Needs_triage --> Confirmed
Needs_triage --> Dismissed
Dismissed --> [*]
Confirmed --> Resolved
Resolved --> Needs_triage: If reintroduced and detected again
Resolved --> [*]
{{< history >}}
vulnerability_representation_information removed.{{< /history >}}
A vulnerability may be no longer detected because of changes made deliberately to remediate it or as a side effect of other changes. When a security scan runs and a vulnerability is no longer detected in the default branch, the scanner adds No longer detected to the record's activity log but the record's status does not change. Instead you should check and confirm the vulnerability has been resolved and if so, manually change its status to Resolved. You can also use a vulnerability management policy to automatically change the status of vulnerabilities matching specific criteria to Resolved.
You can find a link to the commit that resolved the vulnerability at the top or bottom of the vulnerability page.
{{< history >}}
dismissal_reason.dismissal_reason removed.{{< /history >}}
When you dismiss a vulnerability you must choose one of the following reasons:
{{< history >}}
Developer role to change the status of a vulnerability (admin_vulnerability) was deprecated in GitLab 16.4 and removed in GitLab 17.0.{{< /history >}}
Prerequisites:
admin_vulnerability permission.To change a vulnerability's status from its Vulnerability Page:
Details of the status change, including who made the change and when, are recorded in the vulnerability's action log.
You can create a GitLab issue to track any action taken to resolve or mitigate a vulnerability. To create a GitLab issue for a vulnerability:
The issue is created in the GitLab project with information from the vulnerability report.
To create a Jira issue, see Create a Jira issue for a vulnerability.
You can link a vulnerability to one or more existing GitLab or Jira issues. Only one linking feature is available at the same time. Adding a link helps track the issue that resolves or mitigates a vulnerability.
Prerequisites:
To link a vulnerability to existing GitLab issues:
#).The selected GitLab issues are added to the Linked items section, and the linked issues counter is updated.
GitLab issues linked to a vulnerability are shown in the vulnerability report and the vulnerability's page.
Be aware of the following conditions between a vulnerability and a linked GitLab issue:
Prerequisites:
To link a vulnerability to existing Jira issues, add the following line to the Jira issue's description:
/-/security/vulnerabilities/<id>
<id> is any vulnerability ID.
You can add several lines with different IDs to one description.
Jira issues with appropriate description are added to the Related Jira issues section, and the linked issues counter is updated.
Jira issues linked to a vulnerability are shown only on the vulnerability page.
Be aware of the following conditions between a vulnerability and a linked Jira issue:
For some vulnerabilities a solution is already known but needs to be implemented manually. The Solution field in the Vulnerability page is provided by the security scanning tool that reported the security finding, or entered during the manual creation of a vulnerability. The GitLab tools utilize information from the GitLab advisory database.
Additionally, some tools may include a software patch to apply the suggested solution. In those instances, a vulnerability's page includes a Resolve with merge request option.
The following scanners are supported by this feature:
Dependency scanning.
Automatic patch creation is only available for Node.js projects managed with
yarn. Automatic patch creation is only supported when FIPS mode is disabled.
To resolve a vulnerability, you can either:
To resolve the vulnerability with a merge request:
A merge request is created which applies the patch required to resolve the vulnerability. Process the merge request according to your standard workflow.
To manually apply the patch that GitLab generated for a vulnerability:
git apply remediation.patch.[!note] Security training is not accessible in an environment that is offline, meaning computers that are isolated from the public internet as a security measure. Specifically, the GitLab server needs the ability to query the API endpoints for any training provider you choose to enable. Some third-party training vendors may require you to sign up for a free account. Sign up for an account by going to any of Secure Code Warrior, Kontra, or SecureFlag. GitLab does not send any user information to these third-party vendors; GitLab does send the CWE or OWASP identifier and the language name of the file extension.
Security training helps your developers learn how to fix vulnerabilities. Developers can view security training from selected educational providers, relevant to the detected vulnerability.
To enable security training for vulnerabilities in your project:
Each integration submits the Vulnerability identifier, for example CWE or OWASP, and the language to the security training vendor. The resulting link to the vendor training is what appears in a GitLab Vulnerability.
The vulnerability page may include a training link relevant to the detected vulnerability if security training is enabled. The availability of training depends on whether the enabled training vendor has content matching the particular vulnerability. Training content is requested based on the vulnerability identifiers. The identifier given to a vulnerability varies from one vulnerability to the next and the available training content varies between vendors. Some vulnerabilities do not display training content. Vulnerabilities with a CWE are most likely to return a training result.
To view the security training for a vulnerability:
{{< history >}}
dependency_paths. Disabled by default.dependency_paths enabled by default.{{< /history >}}
[!flag] The availability of this feature is controlled by a feature flag. For more information, see the history.
When managing vulnerabilities found in dependencies in the vulnerability details, under Location, you can view:
If the vulnerability occurs in one or more transitive dependencies, knowing only the direct dependency may not be enough. Transitive dependencies are indirect dependencies that have a direct dependent as an ancestor.
If any transitive dependencies exist, you can view the paths to all dependencies, including the transitive dependencies that contain the vulnerability.