CI Agent skips validation for pending Zero Risk requests

Incident Report for Fluid Attacks

Postmortem

Impact

At least one user experienced issues with CI Agent executions not behaving as expected during build validations. The issue started on UTC-5 24-03-15 19:35 and was reactively discovered 14.6 months (TTD) later by a client who reported through our help desk [1] that vulnerabilities with pending Zero Risk treatment requests were being prematurely excluded from analysis. This led to builds passing incorrectly, exposing projects to potential undetected risks. The problem was resolved in 21.6 hours (TTF), resulting in a total window of exposure of 14.6 months (WOE) [2].

Cause

When the logic was updated to break builds on zero_risk=Requested, one of the resolvers continued filtering out these vulnerabilities. As a result, relevant locations were never included in the final validation step performed by the CI Agent [3].

Solution

The resolver was corrected to include vulnerabilities with zero_risk=Requested, ensuring they are considered during build checks until explicitly approved [4].

Conclusion

The CI Agent now consistently processes all relevant vulnerabilities, resulting in accurate build validations and reducing the risk of false positives in deployment pipelines. Additionally, the automated tests were updated to cover this scenario and prevent similar issues in the future. INCOMPLETE_PERSPECTIVE

Posted May 29, 2025 - 17:20 GMT-05:00

Resolved

The incident has been resolved, and the CI Agent now correctly treats pending Zero Risk treatment requests as active vulnerabilities.
Posted May 29, 2025 - 15:24 GMT-05:00

Identified

An issue was identified where vulnerabilities with pending Zero Risk treatment requests are prematurely excluded from the build analysis.
Posted May 29, 2025 - 10:52 GMT-05:00
This incident affected: Agent.