Unable to create issues for pipeline security findings which do not exist on the default branch
Context
When viewing pipeline security findings, which don't exist on the default branch, the "Create Issue" button does not render.
expected | actual |
---|---|
Additional info
Example
How to reproduce
- Import the security-reports example project and Do not run pipeline on master yet!
- Comment all bug 1 scanners in
.gitlab-ci.yml
(leave one uncommented otherwise the CI file is invalid) and commit and push this to master/main - Uncomment the scanners in
.gitlab-ci.yml
, commit and push to a new branch and create an MR - Run a pipeline for the MR and then go to the "Security" tab on that pipeline
- Dismiss a finding from a scanner that is added in the MR
Cause
There is a check in the UI, which makes sure the current user has the right permissions to create an issue:
The permissions are coming from the vulnerability
that is attached to the finding (GraphQL type: PipelineSecurityReportFinding
).
For new findings, which don't exist on the default branch yet, there is no vulnerability
, so the check fails and the "Create Issue" button does not show up.
Possible solutions
As we only have a finding, we can't use the userPermissions
on the vulnerability of that Finding. We could add a userPermissions
object on PipelineSecurityReportFinding
which would contain a field canCreateIssue
, similar to the canCreateVulnerabilityFeedback
we're using now. We seem to be using the userPermissions
pattern on different kind of resources in GitLab.