It was identified that at least one group experienced a situation where a root was cloned without its corresponding lines of code being included in the scope. The issue started on UTC-5 23-09-14 08:27 and was reactively discovered 9.1 hours (TTD) later by a user reporting through our help desk [1] that vulnerabilities were not being reported in one of their repositories due to missing lines of code in the repository files. The problem was resolved in 18.4 hours (TTF) resulting in a total impact of 1.1 days (TTR).
Cause
The surface data for this specific finding had not been updated. These data are typically refreshed via a mutation named refreshToeLines
, within a server_async
task named integrates_refresh
, responsible for populating surface data. However, this task failed to execute for the affected finding.
Unfortunately, the available traceability data for server_async
tasks did not provide sufficient insight into why the task did not execute.
The Surface data for the affected finding were populated by manually executing the integrates_refresh
task.
The lack of traceability in the server_async
logs hindered the ability to pinpoint the exact cause of the bug. As a result, an issue was created to enhance traceability in these tasks [2]. LACK_OF_TRACEABILITY