Scanner filter behaving erratically on Group Vulnerability Report
Summary
There are several odd behaviors with the Scanner
filter on the Group Vulnerability Report (these do not seem to affect the Project Vulnerability Reports). Different combinations of selecting and deselecting specific scanners lead to incorrect results in the vulnerability list.
Steps to reproduce
From a Group Vulnerability Report (gitlab-org used for video):
- Look at the report with
All
selected in the Scanners filter and note the number of displayed vulnerabilities for a given scanner type (it may be best to pre-filter by a single project without many vulnerabilities) - select an individual scanner from the Scanner filter
- observe the number of vulnerabilities displayed in the list (should be less than prior amount)
- click the same scanner filter to deselect
- observe that the number of vulnerabilities displayed is great and likely matches the correct total amount but the
All
option is not automatically selected again
The severity counter "tiles" at the top are also not updating when performing these actions. Additionally, this may be unique to the gitlab-org Group Vulnerability Report but selecting Secret Detection
from the Scanner filter displays SAST
results.
Example Project
Any Group Vulnerability Report displays these behaviors. Try gitlab-org
What is the current bug behavior?
Selecting individual scanners and clicking again to deselect does not show correct, consistent vulnerabilities in the list.
What is the expected correct behavior?
Selecting individual scanners from the the Scanner
filter should:
- Show only vulnerabilities for the selected scanner(s)
- Accurately reflect any other filters (
Status
,Severity
, etc) applied in combination - Update the severity counter "tiles" at the top to correctly match the number of vulnerabilities displayed, by severity
Relevant logs and/or screenshots
Screen_Recording_2021-06-04_at_12.00.40_PM-2
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
The issue is at https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/graphql/resolvers/vulnerabilities/scanners_resolver.rb#L13 with the with_report_type
scope. This only returns one of each type of scanner, but vulnerable.vulnerability_scanners
on the previous line returns all of the scanners. We need to either
- rewrite this scope to properly return all scanners if it works for all uses, or
- create a new scope for this use case.