Dismissed, fixed vulnerability findings can be commented upon, but comment is never shown
Summary
After fixing and verifying #32767 (closed), I noticed that fixed vulnerabilities that were previously dismissed appear to be able to have their dismissal comment added/edited, but the added/edited comment is never displayed.
Steps to reproduce
- Dismiss a vulnerability finding in a project without a comment
- Create an MR which fixes that finding
- Attempt to add a comment to the dismissal for that finding in that MR
- See that comment is not displayed, even after a full refresh
Example Project
gitlab-examples/security/security-reports!2 (closed) - See the dismissed SAST finding Cipher with no integrity
What is the current bug behavior?
The dismissal comment can be added/edited (should this be allowed anyway?), but the added/edited comment is never displayed.
What is the expected correct behavior?
Either:
- Dismissed, fixed findings' dismissal comments can't be added/edited, or
- Dismissed, fixed findings' dismissal comments can be added/edited, and are displayed immediately in the UI, and persisted.
Relevant logs and/or screenshots
vuln-finding-fixed-dismissed-comment
Possible fixes
It appears the PATCH request to the feedback endpoint succeeds when the comment is added/edited. On a subsequent reload, the GET to the feedback endpoint appears to return the correct added/edited comment as well, so there's something odd going on in the frontend, or maybe some kind of caching issue.