"Create Jira Issue" from the security pipeline tab continues to show if an issue already exists in Jira
Summary
When a customer enables Jira issue integration and chooses to use the Create a Jira issue for a vulnerability feature, they will be able to create a Jira issue from the security tab of a pipeline as shown below:
This functionality is useful in that for Jira-focused teams, they can create a Jira issue to track a new vulnerability raised from a merge request/branch on the project. In current implementation however, this can cause problems because the UI doesn't update to show that a Jira issue already exists.
After following the applicable link, a user is directed to their Jira instance with information pre-filled in Jira, such as the Summary and Description fields. Once a Jira issue is created, there is no indication in the UI that a Jira issue already exists. In some situations, this can lead to multiple developers raising an issue for the same vulnerability.
Ideally, we should consider using logic that is implemented in the Vulnerability Report feature, where viewing a vulnerability shows a section when a related Jira issue exists. This screenshot is taken from a different project that had an issue created via the Vulnerability Report:
The outcome could be:
- Don't show the link if a Jira Issue is found and exists
- Use the existing functionality that links to a GitLab issue, but link to a Jira Issue instead.
Steps to reproduce
- Create a project (without vulnerabilities), with a basic
.gitlab-ci.yml
file that has branch dependency scanning. - Enable a project-level scan result policy to block an MR when new vulnerabilities are detected.
- Enable a working Jira integration including Enable Jira issue creation from vulnerabilities. This can be replicated with "Jira Cloud", so you can use the free tier for testing purposes.
- Raise a new branch with a dependency vulnerability. You can reference this public project which will return a dependency vulnerability due to an outdated version.
- Raise an MR on the project (which will be blocked by the scan result policy)
- On the MR, navigate to the security widget, select full report and:
- Locate vulnerability. Highlighting the folder icon which should show 'Create Jira Issue'
- Be navigated to Jira and to fill out the form.
- Confirm that the Jira issue now exists "tied" to that vulnerability
- Navigate back to the full report. You'll still be prompted to 'Create Jira Issue'.
Example Project
A private project exists on GitLab.com that can replicate this behaviour on-demand. Due to the permissions required to view security-related content, please ask me to invite you if this helps investigate the behaviour.
What is the current bug behavior?
There is no state tracking on whether a Jira issue exists and is already tied to this vulernability. After creation, a user continues to be prompted to create a Jira issue when one already exists.
What is the expected correct behavior?
The state of a Jira issue should be tracked through the integration (as seen in Vulnerability Report). When an issue exists tied to this, it should visibly show this and warn or limit the ability to re-create an issue tied to the same vulnerability.
Output of checks
This bug happens on GitLab.com