Fluid Attacks incident

CI Agent skips validation for pending Zero Risk requests

Notice Resolved View vendor source →

Fluid Attacks experienced a notice incident on May 29, 2025 affecting Agent, lasting 4h 31m. The incident has been resolved; the full update timeline is below.

Started
May 29, 2025, 03:52 PM UTC
Resolved
May 29, 2025, 08:24 PM UTC
Duration
4h 31m
Detected by Pingoru
May 29, 2025, 03:52 PM UTC

Affected components

Agent

Update timeline

  1. identified May 29, 2025, 03:52 PM UTC

    An issue was identified where vulnerabilities with pending Zero Risk treatment requests are prematurely excluded from the build analysis.

  2. resolved May 29, 2025, 08:24 PM UTC

    The incident has been resolved, and the CI Agent now correctly treats pending Zero Risk treatment requests as active vulnerabilities.

  3. postmortem May 29, 2025, 10:10 PM UTC

    **Impact** At least one user experienced issues with CI Agent executions not behaving as expected during build validations. The issue started on UTC-5 24-03-15 19:35 and was reactively discovered 14.6 months \(TTD\) later by a client who reported through our help desk [\[1\]](https://help.fluidattacks.com/agent/fluid4ttacks/fluid-attacks/tickets/details/944043000036892949) that vulnerabilities with pending Zero Risk treatment requests were being prematurely excluded from analysis. This led to builds passing incorrectly, exposing projects to potential undetected risks. The problem was resolved in 21.6 hours \(TTF\), resulting in a total window of exposure of 14.6 months \(WOE\) [\[2\]](https://gitlab.com/fluidattacks/universe/-/issues/16151). **Cause** When the logic was updated to break builds on `zero_risk=Requested,` one of the resolvers continued filtering out these vulnerabilities. As a result, relevant locations were never included in the final validation step performed by the CI Agent [\[3\]](https://gitlab.com/fluidattacks/universe/-/merge_requests/58297). **Solution** The resolver was corrected to include vulnerabilities with `zero_risk=Requested,` ensuring they are considered during build checks until explicitly approved [\[4\]](https://gitlab.com/fluidattacks/universe/-/merge_requests/78446). **Conclusion** The CI Agent now consistently processes all relevant vulnerabilities, resulting in accurate build validations and reducing the risk of false positives in deployment pipelines. Additionally, the automated tests were updated to cover this scenario and prevent similar issues in the future. **INCOMPLETE\_PERSPECTIVE**