Impact
At least one user experienced issues with CI Agent executions not behaving as expected during build validations. The issue started on UTC-5 24-03-15 19:35 and was reactively discovered 14.6 months (TTD) later by a client who reported through our help desk [1] that vulnerabilities with pending Zero Risk treatment requests were being prematurely excluded from analysis. This led to builds passing incorrectly, exposing projects to potential undetected risks. The problem was resolved in 21.6 hours (TTF), resulting in a total window of exposure of 14.6 months (WOE) [2].
Cause
When the logic was updated to break builds on zero_risk=Requested,
one of the resolvers continued filtering out these vulnerabilities. As a result, relevant locations were never included in the final validation step performed by the CI Agent [3].
Solution
The resolver was corrected to include vulnerabilities with zero_risk=Requested,
ensuring they are considered during build checks until explicitly approved [4].
Conclusion
The CI Agent now consistently processes all relevant vulnerabilities, resulting in accurate build validations and reducing the risk of false positives in deployment pipelines. Additionally, the automated tests were updated to cover this scenario and prevent similar issues in the future. INCOMPLETE_PERSPECTIVE