Truncate the title of the issue while creating from vulnerability
What does this MR do and why?
This MR fixes two issues;
- Truncates the title while creating the issue from the vulnerability to stay within the issuable title limit
- Changes the method called
Vulnerabilities::Feedback.find_or_init_for
to lookup byfinding_uuid
asproject_fingerprint
is deprecated.
Database review
See !102040 (comment 1149584311)
Migration outputs
VERSION=20221025145452
up
main: == 20221025145452 DropVulnerabilityFeedbackUniqueIdx: migrating ===============
main: -- transaction_open?()
main: -> 0.0000s
main: -- indexes(:vulnerability_feedback)
main: -> 0.0085s
main: -- execute("SET statement_timeout TO 0")
main: -> 0.0003s
main: -- remove_index(:vulnerability_feedback, {:algorithm=>:concurrently, :name=>:vulnerability_feedback_unique_idx})
main: -> 0.0013s
main: -- execute("RESET statement_timeout")
main: -> 0.0002s
main: == 20221025145452 DropVulnerabilityFeedbackUniqueIdx: migrated (0.0187s) ======
down
main: == 20221025145452 DropVulnerabilityFeedbackUniqueIdx: reverting ===============
main: -- transaction_open?()
main: -> 0.0000s
main: -- index_exists?(:vulnerability_feedback, [:project_id, :category, :feedback_type, :project_fingerprint], {:name=>:vulnerability_feedback_unique_idx, :unique=>true, :algorithm=>:concurrently})
main: -> 0.0051s
main: -- execute("SET statement_timeout TO 0")
main: -> 0.0003s
main: -- add_index(:vulnerability_feedback, [:project_id, :category, :feedback_type, :project_fingerprint], {:name=>:vulnerability_feedback_unique_idx, :unique=>true, :algorithm=>:concurrently})
main: -> 0.0034s
main: -- execute("RESET statement_timeout")
main: -> 0.0003s
main: == 20221025145452 DropVulnerabilityFeedbackUniqueIdx: reverted (0.0134s) ======
VERSION=20221025150202
up
main: == 20221025150202 AddIndexForFindingUuidAndFeedbackTypeOnFeedback: migrating ==
main: -- transaction_open?()
main: -> 0.0000s
main: -- index_exists?(:vulnerability_feedback, [:feedback_type, :finding_uuid], {:name=>:index_vulnerability_feedback_on_feedback_type_and_finding_uuid, :algorithm=>:concurrently})
main: -> 0.0048s
main: -- execute("SET statement_timeout TO 0")
main: -> 0.0002s
main: -- add_index(:vulnerability_feedback, [:feedback_type, :finding_uuid], {:name=>:index_vulnerability_feedback_on_feedback_type_and_finding_uuid, :algorithm=>:concurrently})
main: -> 0.0012s
main: -- execute("RESET statement_timeout")
main: -> 0.0003s
main: == 20221025150202 AddIndexForFindingUuidAndFeedbackTypeOnFeedback: migrated (0.0105s)
down
main: == 20221025150202 AddIndexForFindingUuidAndFeedbackTypeOnFeedback: reverting ==
main: -- transaction_open?()
main: -> 0.0000s
main: -- indexes(:vulnerability_feedback)
main: -> 0.0065s
main: -- execute("SET statement_timeout TO 0")
main: -> 0.0003s
main: -- remove_index(:vulnerability_feedback, {:algorithm=>:concurrently, :name=>:index_vulnerability_feedback_on_feedback_type_and_finding_uuid})
main: -> 0.0014s
main: -- execute("RESET statement_timeout")
main: -> 0.0003s
main: == 20221025150202 AddIndexForFindingUuidAndFeedbackTypeOnFeedback: reverted (0.0132s)
VERSION=20221026121036
up
main: == 20221026121036 AddIndexForProjectIdOnVulnerabilityFeedback: migrating ======
main: -- transaction_open?()
main: -> 0.0000s
main: -- index_exists?(:vulnerability_feedback, :project_id, {:name=>:index_vulnerability_feedback_on_project_id, :algorithm=>:concurrently})
main: -> 0.0045s
main: -- execute("SET statement_timeout TO 0")
main: -> 0.0003s
main: -- add_index(:vulnerability_feedback, :project_id, {:name=>:index_vulnerability_feedback_on_project_id, :algorithm=>:concurrently})
main: -> 0.0019s
main: -- execute("RESET statement_timeout")
main: -> 0.0002s
main: == 20221026121036 AddIndexForProjectIdOnVulnerabilityFeedback: migrated (0.0114s)
down
main: == 20221026121036 AddIndexForProjectIdOnVulnerabilityFeedback: reverting ======
main: -- transaction_open?()
main: -> 0.0000s
main: -- indexes(:vulnerability_feedback)
main: -> 0.0066s
main: -- execute("SET statement_timeout TO 0")
main: -> 0.0003s
main: -- remove_index(:vulnerability_feedback, {:algorithm=>:concurrently, :name=>:index_vulnerability_feedback_on_project_id})
main: -> 0.0032s
main: -- execute("RESET statement_timeout")
main: -> 0.0003s
main: == 20221026121036 AddIndexForProjectIdOnVulnerabilityFeedback: reverted (0.0169s)
Local testing
Setup
- Create a new project
- Add the following files to the project
.gitlab-ci.yml
sast:
image: bash
script:
- echo Hello World!
artifacts:
reports:
sast: sast-report.json
sast-report.json
{
"schema" : "https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v14.0.0/dist/sast-report-format.json",
"version" : "14.0.0",
"scan" : {
"start_time" : "2022-08-24T07:30:25",
"end_time" : "2022-08-24T07:54:47",
"status" : "success",
"type" : "sast",
"scanner" : {
"id" : "gtlb",
"name" : "Gitlab test",
"url" : "https://gitlab.com",
"version" : "0.0.0",
"vendor" : {
"name" : "GitLab"
}
}
},
"vulnerabilities": [
{
"category" : "sast",
"message" : "Long message aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"description" : "Description of the vulnerability",
"id" : "1",
"cve" : "random",
"identifiers" : [
{
"name" : "CVE-XXXX",
"type" : "CVE",
"value" : "XXXX"
}
],
"location" : {
"file" : "root.rb",
"start_line" : 1
},
"scanner" : {
"id" : "gtlb",
"name" : "Gitlab test"
},
"severity" : "Critical"
}
]
}
Reproduction steps
- Run a new pipeline on default branch
- Visit the "pipeline security tab"
- Click on finding to open the modal box
- Click on the "Create issue" button and see the error
Video to demonstrate the issue;
Screen_Recording_2022-11-08_at_10.55.57
Related to Long SAST title creates 422 when creating issue (#342167 - closed).
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Mehmet Emin INAC