Issue created on vulnerability are not shown as linked after merging the MR.
Summary
From the MR, issues can be created for vulnerabilities by clicking Create issue
in vulnerability popup. This created issue is shown as a comment within the vulnerability popup. Now merging this MR will transfer these vulnerabilities to the project's vulnerability_report
page, but the link between the vulnerability and the created issue is lost after this transfer. There will be no sign of the created issue within in the vulnerability listed in the project's vulnerability_report
page.
Steps to reproduce
- Submit an MR.
- Select one of the vulnerability detected in the MR pipeline from the MR overview tab and click
Create issue
in vulnerability popup. - Created issue will be displayed within the vulnerability popup as a comment e.g
Created issue issue#
. - Now merge the MR and the vulnerabilities will now show up in the project's
vulnerability_report
page. - Check the vulnerability mentioned in Step 2. The already created issue won't be shown as comment or under linked issue.
What is the current bug behavior?
Issues created for vulnerability from MR are not shown as linked issue in vulnerability in project's vulnerability_report
page.
What is the expected correct behavior?
Issues created for vulnerability from MR will be shown as linked issue in the vulnerability in project's vulnerability_report
page
Relevant logs and/or screenshots
Issue created from MR overview tab.
Vulnerability from project's vulnerability_report
Output of checks
This bug happens on GitLab.com
Implementation plan
-
backend Adjust
Security::StoreReportService
to:- Check if the backing
Vulnerabilities::Finding
has anyVulnerabilities::Feedback
with anissue_id
after creating the Vulnerability, - If yes then it should create
Vulnerabilities::IssueLink
entries - Otherwise proceed as usual
- Check if the backing