DevSecOps streamlines software development by allowing teams to ship features quickly and providing short feedback cycles for customers. These short feedback cycles can be used to monitor the impact of a feature from the time it is shipped and to inform developers and product managers about the success or failure of a given deployment.
GitLab, as an agnostic DevSecOps platform, can act as an integration point for different CI/CD tools that often contribute to user-facing functionality. For example, the vulnerability report, which displays all detected vulnerabilities, is visible as a single functionality, but the data in the report may come from a number of different tools in various pipelines.
In a heterogeneous Static Application Security Testing (SAST) setup we find two potential sources of vulnerability deduplication:
- Code volatility refers to the reintroduction of vulnerabilities in a constantly changing code base.
- Double reporting refers to duplication introduced by multiple tools that are reporting the same vulnerability.
GitLab addresses these two sources of duplication by means of the Advanced Vulnerability Tracking feature, which identifies and deduplicates vulnerabilities in a constantly changing code base.
Advanced Vulnerability Tracking leverages contextual information provided by generated syntax-trees to scope vulnerabilities and generates location fingerprints for vulnerabilities that are less fragile across code changes in comparison to other tracking methods.
In a recent study, we demonstrated that our vulnerability tracking approach was 30% more effective than traditional, line-based vulnerability tracking where <file, line number> are used to fingerprint vulnerabilities. This means that advanced vulnerability tracking reduces the manual effort of auditing vulnerabilities by 30%. In addition, our study suggested that the positive effect of our vulnerability tracking method increases over time.
The preprint of our study "A scalable, effective and simple Vulnerability Tracking approach for heterogeneous SAST setups based on Scope+Offset" will be presented at the 47th International Conference on Software Engineering (Software Engineering in Practice Track) 2025.
Lucas Charles, Jason Leasure, and Hua Yan contributed to this article and study.
