Multiple vulnerabilities getting incorrectly linked to same issue that was opened in pipeline security tab
Summary
Multiple vulnerabilities getting incorrectly linked to same issue that was opened in pipeline security tab. This occurs when pipeline runs on default branch after MR gets merged. Possibly related to #383817 (closed) and its fix.
Steps to reproduce
- Create an MR in a new project, with security findings in the pipeline (non-default branch)
- Create issue from a finding in pipeline security tab.
- Merge the MR, check for the default pipeline run.
- In vulnerability report, filter by
Activity-> Has Issue
.
Also can be reproduced by running this E2E spec against GDK from qa
directory:
WEBDRIVER_HEADLESS=false GITLAB_ADMIN_PASSWORD="xxxx" GITLAB_QA_ACCESS_TOKEN=xxxx GITLAB_PASSWORD="xxxx" QA_DEBUG=true QA_GITLAB_URL=http://192.168.1.105:3000 bundle exec rspec ./qa/specs/features/ee/browser_ui/10_govern/vulnerability_management_spec.rb:136
Example Project
What is the current bug behavior?
It shows multiple vulnerabilities linked to same issue.
What is the expected correct behavior?
It should show only the vulnerability on which the issue was created in pipeline security tab.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
- Adjust Security::Ingestion::FindingMap#issue_feedback to perform lookup using
finding_uuid
.