Skip to content

Issues created from Standalone Vulnerabilities should link to specific file versions in finding branch instead of default branch

Summary

Issues created from Standalone Vulnerabilities have the field Location link to the finding on the default branch (ie. master) instead of linking to a specific commit id.

If lines are added/removed to that file on master (which might be unrelated to the vuln), then the link in the issue points to the wrong line.

NOTE: This has been fixed for the existing Security Dashboards but we need to ensure this same functionality persists once we move to Standalone (ie. First-Class) Vulnerabilities.

Steps to reproduce

  1. In a project that has SAST findings & has the first_class_vulnerabilities feature flag enabled, go to the Security Dashboard. (ex. https://gitlab.com/gitlab-org/defend/webgoat/-/security/vulnerabilities)
  2. Click on a Vulnerability and click on Create Issue from the Vulnerability page.
  3. In the created issue, inspect the link for Location. It links to master instead of a commit id.

Example Project

https://gitlab.com/gitlab-org/gitaly/issues/2421

What is the current bug behavior?

When an issue is created from a finding, Location links to the version of the file on master.

What is the expected correct behavior?

When an issue is created from a finding, Location links to the version & branch of the file in which the finding was made.

Implementation checklist

  • backend
    • Change location from Create Issue to point to location, not default branch
Edited by Lindsay Kerr