Skip to content

'Create Issue' from pipeline security tab in an MR should not set present_on_default_branch = true on the created vulnerability

Summary

In !130390 (merged) we switched from using the deprecated Projects::VulnerabilityFeedbackController#create REST endpoint to using the securityFindingCreateIssue Graphql mutation when creating an issue from the Pipeline -> Security tab.

In both the old and new implementations, when the issue is created, a vulnerability is also created. Unfortunately the Graphql mutation does not explicitly set present_on_default_branch = false when the vulnerability is created as the deprecated REST controller does. This means the resulting vulnerability shows up as present on the default branch when in fact it is not.

Related to Failure in ee/browser_ui/10_govern/vulnerabilit... (#423897 - closed)

Steps to reproduce

  • In a project with security scanning enabled, create an MR which introduces a new finding.
  • Navigate to Pipeline -> Security for the MR pipeline.
  • Click 'Create Issue' on the right hand side next to the relevant finding.
  • Visit Security -> Vulnerability Report for the project.

At this point we would not expect to see the vulnerability in the vulnerability report.

Example Project

https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/verify-424081

This project has a merge request that introduces a new dangerous eval on line 6 of main.js

An issue has been created from this finding, and it erroneously appears in the vulnerability report.

What is the current bug behavior?

The vulnerability for the security finding appears in the vulnerability report of the project.

What is the expected correct behavior?

The vulnerability for the security finding should not appear in the vulnerability report of the project.

Verification

  • Visit this verification MR. The MR adds a new file verification.js with a security finding. This should show in the security widget.
  • Go to Pipelines tab in the MR, click the pipeline and then the Security tab.
  • Click the 'Create issue' button on right hand side next to the finding for the verification.js file.
  • You should be taken to the created issue page.
  • Visit Secure -> Vulnerability Report in the main nav.
  • Ensure that the vulnerability in verification.js is not in the vulnerability report.
Edited by Malcolm Locke