Pipeline security tab shows findings when still running or report expired
Summary
The new pipeline security tab shows findings when the pipeline is still running or when the report has expired. This is not the case for the legacy pipeline security tab.
Steps to reproduce
Report expired
- go to https://gitlab.com/gitlab-examples/security/security-reports/-/pipelines/1156121988/security
- click on the severity sorting, the arrow changes but the findings are not properly sorted.
- click on a finding (the finding modal shows a warning because it can't load the finding)
Example Project
What is the current bug behavior?
On the new pipeline security tab (when pipeline_security_dashboard_graphql is enabled), when a report is expired or the pipeline is still running, the table still/already shows findings. When clicking those findings (to open the modal), the finding itself does not load. Sorting by severity also does not work. The findings are also not available anymore when the report has expired: https://docs.gitlab.com/ee/user/application_security/vulnerability_report/pipeline.html#retention-period-for-findings.
query pipelineFindings returns the list of findings for securityReportFindings, query getSecurityReportFinding returns null for the securityReportFinding.
What is the expected correct behavior?
Similar to how the legacy pipeline security tab works, it should not show findings when the pipeline is running or the report has expired. The REST API vulnerability_findings returns an empty array in these cases.
vulnerability_findings REST api returns an empty array.
Relevant logs and/or screenshots
Finding modal does not load
Incorrect sorting
Output of checks
Possible fixes
Both REST api and GraphQL are using same finder Security::PureFindingsFinder, so it could be somewhere in the GraphQL change we did for pagination: Fix GraphQL pipeline findings pagination (!146445 - merged) • Malcolm Locke • 16.10.