Dismissal of single SAST IaC Pipeline Finding results in mass dismissal
Summary
Dismissal of a single Category:SAST IaC vulnerability results in mass-dismissal of all vulnerabilities
Steps to reproduce
- Fork https://gitlab.com/gitlab-org/security-products/tests/ansible
- Simplify CI (simultaneously triggering new pipeline) https://gitlab.com/theoretick/ansible-goop/-/commit/a352885d42fc5535b587ecfb6d6d6da99eecfe00
- Once pipeline has completed, dismiss a single finding on pipeline security tab
- Reload page
- Note all findings have been dismissed
Example Project
https://gitlab.com/gitlab-org/security-products/tests/ansible
What is the current bug behavior?
- Dismissal of single finding dismisses multiple
What is the expected correct behavior?
- Dismissal of single finding should dismiss only the expected one
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Possible fixes
This bug occurs due to the current way we retrieve feedback for findings. Once we move to using UUID for feedback, this issue should be resolved.
Implementation plan
-
backend The Security::FindingsFinder
class is using the same dismissed vulnerability for all of the security findings.- The
vulnerability_for
method is most likely the culprit here, needing to change the search from usingproject_fingerprint
touuid
- The
Edited by Jonathan Schafer