Skip to content

Adding a comment to a vulnerability log entry misleadingly updates the date/time of the entry

Summary

When changing the status of a vulnerability, users have the ability to leave a comment on the log entry seen on the Vulnerability Page. However when leaving a comment on the log entry, the date of the original log entry will be updated to match the time of the comment. This can lead to a confusing experience for end-users, especially if they leave the comment several hours/days later.

For example, a customer was reporting that the Vulnerability Page showed that a vulnerability was marked as Resolved just a few hours ago. However the Vulnerability Report was already showing the same vulnerability as Needs Triage despite no new pipelines being run on the default branch since that time.

The vulnerability was actually marked as resolved several days before. A few hours before reporting this behavior, the user left a comment on the log entry which updated the date to appear as if the vulnerability was just marked as resolved recently.

This caused confusion because the vulnerability in question was now showing as Needs Triage despite no new pipelines being run on the default branch. We now know that the vulnerability was actually marked as resolved several days earlier, despite what the log entry says, and several pipelines have been run on the default branch which detected the previously resolved vulnerability.

Steps to reproduce

  1. Create a project with a vulnerability
  2. Run a security scan on the project (SAST, DAST, Secret Detection, etc.)
  3. Navigate to the vulnerability report and click on the vulnerability
  4. Mark the vulnerability as resolved
  5. Wait a few hours/days and then comment on the vulnerability log entry that states the vulnerability was marked as resolved
  6. Observe that the time of the initial log entry is updated to match that of the comment

What is the current bug behavior?

Adding a comment to a vulnerability log entry on the vulnerability page updates the date of the initial log entry

What is the expected correct behavior?

Adding a comment to a vulnerability log entry on the vulnerability page should not update the time of the initial log entry. The date/time of the comment and log entry should accurately reflect when each were posted.

Relevant logs and/or screenshots

Before Comment: 

json.time: Oct 13, 2023 @ 15:29:24.688
json.meta.caller_id: graphql:vulnerabilityResolve
json.variables: {"id"=>"gid://gitlab/Vulnerability/86289948", "comment"=>nil}

Screenshot_2023-10-13_at_12.58.28_PM

After Comment: 

json.time: Oct 13, 2023 @ 16:58:39.237
json.meta.caller_id: graphql:securityDashboardCreateNote
json.variables: {"noteableId"=>"gid://gitlab/Vulnerability/86289948", "discussionId"=>"gid://gitlab/IndividualNoteDiscussion/0d875e5ed4867034f0762efd0da5c356a1ee4197", "body"=>"[FILTERED]"}

Screenshot_2023-10-13_at_12.58.49_PM

Output of checks

This bug happens on GitLab.com

Implementation Plan

The issue is that we are showing the updatedAt timestamp for this field, when we should be showing the createdAt timestamp.

Verification steps

  1. go to this vulnerability: https://gitlab.com/gitlab-examples/security/security-reports/-/security/vulnerabilities/68125929
  2. in the discussion at the bottom with the history entries, scroll to the last one
  3. verify that the date next to "@lorenzvanherwaarden changed vulnerability status to Dismissed: Used In Tests" is 15 January 2024 at 09:57:28 CET when you hover the relative time label
  4. verify that the date in the entry below with my comment "Added this comment some moments later" is 15 January 2024 at 09:57:56 CET when you hover the relative time label
Edited by Lorenz van Herwaarden