SecurityFinding::CreateIssueService does not properly populate issue
Summary
The SecurityFinding::CreateIssueService
does not properly populate the issue. It only contains a description and not the other vulnerability data - scanners, identifiers, etc. Also, the description looks like it is only using the title, not the actual description.
Steps to reproduce
Call the securityFindingCreateIssue
mutation with :deprecate_vulnerabilities_feedback
feature flag enabled.
Example Project
What is the current bug behavior?
Only the (incorrect) description is present in the issue
What is the expected correct behavior?
All fields should be present in the issue
Relevant logs and/or screenshots
Expected issue:
Actual issue:
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
When creating a vulnerability from the web, the VulnerabilityPresenter
is used to decorate the Vulnerability
instance when rendering the issue description https://gitlab.com/gitlab-org/gitlab/-/blob/62173bd264f359cb4d39c1b7b24316c1f6cc94f4/ee/app/controllers/ee/projects/issues_controller.rb#L112-118
The decorated instance contains various properties (including pulling the description from the finding if it's absent on the vulnerability, setting the scanner from the finding, etc) that are not present when the presenter is used. The service class Issues::CreateFromVulnerabilityDataService
, which is ultimately used to populate the description by the GQL endpoint, does not use the VulnerabilityPresenter
https://gitlab.com/gitlab-org/gitlab/-/blob/62173bd264f359cb4d39c1b7b24316c1f6cc94f4/ee/app/services/issues/create_from_vulnerability_data_service.rb#L40-46
So a possible solution to this is to use the VulnerabilityPresenter
in Issues::CreateFromVulnerabilityDataService
Verification
- Visit https://gitlab.com/gitlab-org/secure/tests/verify-385616/-/security/vulnerability_report
- Pick a vulnerability with no linked issues (e.g. the 'Activity' column is empty) and note it's ID
- Visit https://gitlab.com/-/graphql-explorer and run the following GQL query to obtain the
uuid
of the selected vulnerability:query { project(fullPath: "gitlab-org/secure/tests/verify-385616") { pipelines { nodes { id securityReportFindings { nodes { uuid vulnerability { id } } } } } } }
- Using the selected
uuid
, run thismutation
GQL query to create a new issue for theVulnerability
:
mutation { securityFindingCreateIssue( input: { clientMutationId: "abc123", uuid: "UUID-FROM-ABOVE", project: "gid://gitlab/Project/43387151" } ) { clientMutationId errors issue { id } } }
- Using the selected
- Check https://gitlab.com/gitlab-org/secure/tests/verify-385616/-/issues to ensure the issue has been created and the description is correct.
As the MR related to this issue also touches the workflow for creating issues from vulnerabilities via the web, this should be verified too.
- Pick another issue from https://gitlab.com/gitlab-org/secure/tests/verify-385616/-/security/vulnerability_report without a linked issue
- Click into the the vulnerability and click 'Create Issue'
- Ensure the resulting issue is created correctly.