Can't dismiss vulnerability from MR widget
Summary
I'm trying to dismiss a vulnerability from the MR widget but it fails
POST
to https://gitlab.com/gitlab-org/release-cli/-/vulnerability_feedback
With body
{
"vulnerability_feedback": {
"category": "sast",
"comment": "It is a useful feature in release-cli use cases, default value is safe.",
"feedback_type": "dismissal",
"pipeline_id": 223426340,
"project_fingerprint": "f7e2416d6e33e52b85ca1a2d4be539ce645dc6ab",
"vulnerability_data": {
"assets": [],
"blob_path": "/kfairlamb/release-cli/-/blob/c834ae3dbc012b9207b11a95379faa166edb4389/internal/app/app.go#L37",
"category": "sast",
"confidence": "low",
"create_vulnerability_feedback_dismissal_path": null,
"create_vulnerability_feedback_issue_path": null,
"create_vulnerability_feedback_merge_request_path": null,
"description": "The software does not validate, or incorrectly validates, a certificate.",
"dismissal_feedback": null,
"evidence": null,
"evidence_source": null,
"id": null,
"identifiers": [
{
"external_id": "G402",
"external_type": "gosec_rule_id",
"name": "Gosec Rule ID G402",
"url": null
},
{
"external_id": "295",
"external_type": "CWE",
"name": "CWE-295",
"url": "https://cwe.mitre.org/data/definitions/295.html"
}
],
"issue_feedback": null,
"links": [],
"location": {
"file": "internal/app/app.go",
"start_line": 37
},
"merge_request_feedback": null,
"name": "TLS InsecureSkipVerify may be true.",
"project": {
"full_name": "Katlyn Fairlamb / release-cli",
"full_path": "/kfairlamb/release-cli",
"id": 22798500,
"name": "release-cli"
},
"project_fingerprint": "f7e2416d6e33e52b85ca1a2d4be539ce645dc6ab",
"remediations": [
null
],
"report_type": "sast",
"request": null,
"response": null,
"scan": {
"end_time": "2020-12-01T00:05:56",
"start_time": "2020-12-01T00:05:48",
"status": "success",
"type": "sast"
},
"scanner": {
"external_id": "gosec",
"name": "Gosec",
"vendor": "GitLab"
},
"severity": "high",
"solution": null,
"state": "detected",
"supporting_messages": [],
"title": "TLS InsecureSkipVerify may be true."
}
}
}
returns 422
response with body
{
"pipeline": [
"must associate the same project"
]
}
Steps to reproduce
Go to release-cli!74 (closed) and dismiss the vulnerability that was detected (with a comment, not sure if that matters for the bug)
Example Project
https://gitlab.com/gitlab-org/release-cli/
What is the current bug behavior?
Can't dismiss from MR widget
What is the expected correct behavior?
I should be able to dismiss the vulnerability
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Change the error message to clarify action needed from user: Could not dismiss vulnerability because the associated pipeline no longer exists. Refresh the page and try again.
The error message can be found here: https://gitlab.com/gitlab-org/gitlab/-/blob/af27c54ba6589e8eb0d627ae4369782158e1e098/ee/app/assets/javascripts/vue_shared/security_reports/store/actions.js#L216