GitLab Ultimate False Positives in Security Dashboard

Problem/Motivation

While setting up a Drupal project in GitLab Ultimate, GitLab's security scanning identified a number of "critical" security vulnerabilities.

I posted these vulnerabilities privately to the security team and was given permission to re-publish these publicly here just in case others saw similar issues. The security team have verified these are "false positives."

Steps to reproduce

Enable the SAST feature in GitLab, allow it to scan a Drupal repository in GitLab

Proposed resolution

None

Remaining tasks

None

Issues

Improper control of generation of code ('Code Injection')
Severity: Critical
File: docroot/core/modules/update/src/Form/UpdateReady.php:169

Identifiers 
A1:2017 - Injection          
PHPCS Security Audit Test ID PHPCS_SecurityAudit.BadFunctions.SystemExecFunctions.WarnSystemExec
PHPCS_SecurityAudit.BadFunctions.SystemExecFunctions.WarnSystemExec
A03:2021 - Injection
CWE-94

Improper control of filename for include/require statement in PHP program ('PHP Remote File Inclusion')
Severity: Critical
File: docroot/core/assets/scaffold/files/ht.router.php:71

A1:2017 - Injection
PHPCS_SecurityAudit.BadFunctions.FilesystemFunctions.WarnFilesystem
A03:2021 - Injection
CWE-98
 PHPCS Security Audit Test ID PHPCS_SecurityAudit.BadFunctions.FilesystemFunctions.WarnFilesystem

Improper neutralization of directives in dynamically evaluated code ('Eval Injection')
Severity: High
File: docroot/core/misc/time-diff.js:118

A1:2017 - Injection
nodejs_scan.javascript-eval-rule-eval_nodejs
A03:2021 - Injection
NodeJS Scan ID javascript-eval-rule-eval_nodejs
CWE-95