Suppress 'no longer vulnerable' vulnerabilities reported by Snyk

[sahibamittal]

Current Behavior

Scenario: For a component, say Snyk reported a vulnerability earlier. Now it is no longer vulnerable. But in DT we don't have any process to remove such vulnerability from our records, and it is being reported to users as vulnerable.
When we receive records from Snyk, we filter the records which have non-empty data and in this case, such vulnerabilities are never deleted.

Proposed Behavior

Implement cleanup of 'no longer vulnerable' vulnerabilities.

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested

[nscuro]

When we receive records from Snyk, we filter the records which have non-empty data and in this case, such vulnerabilities are never deleted.

Are you saying Snyk reports vulnerability record without any data, when they revoke an entry?

Is this issue about actual deletion of VULNERABILITY records, or about auto-supression of findings?

[sahibamittal]

When we receive records from Snyk, we filter the records which have non-empty data and in this case, such vulnerabilities are never deleted.

Are you saying Snyk reports vulnerability record without any data, when they revoke an entry?

Is this issue about actual deletion of VULNERABILITY records, or about auto-supression of findings?

Yes it seems Snyk returns record with empty data if that component version is no longer vulnerable. We've observed this with pkg:maven/org.springframework/[email protected]
It's impacting all projects with this component.
Currently, to remove such vulnerability, the project has to be deleted and re-uploaded.

[nscuro]

Yes it seems Snyk returns record with empty data if that component version is no longer vulnerable.

Oh wow, seems like a really odd thing to do...

In that case the Snyk analyzer could set the rejected field of the vulnerability.