Skip to content

Correctly populate Vulnerability Issue description from GQL mutation

Malcolm Locke requested to merge 385616-correctly-populate-issue-description-from-security-finding-create-issue-service into master

What does this MR do and why?

This MR reworks the creation of issues from vulnerabilities using the GraphQL securityFindingCreateIssue mutation so that the issue description is correctly populated in the same way that it would be if an issue was created from the web (via Vulnerability -> Create Issue).

This MR also fixes issues descriptions when created from VulnerabilityFeedback::CreateService.

Before

Screenshot_from_2023-01-31_15-21-52

After

Screenshot_from_2023-01-31_15-17-00

Before and after screenshots of _Create Issue_ from the web, via the Vulnerability page _Create Issue_ button. (unchanged)

Before

before

After

after

How to set up and validate locally

  1. Find the id of a Vulnerability without an existing linked issue
  2. Find the uuid of the Vulnerability::Finding related to the Vulnerability 
    rails runner 'puts Vulnerability.find(542).finding.uuid'
# 512ae9b8-ec23-586b-b5f1-6147c9e2a1c8
  3. Find the id of the Project related to the Vulnerability 
    rails runner 'puts Vulnerability.find(542).project_id'
# 20
  4. Load /-/graphql-explorer in your web browser
  5. Enter the following query, substituting the Vulnerability::Finding#uuid and Project#id 
    mutation {
  securityFindingCreateIssue(
    input: {
      clientMutationId: "abc123",
      uuid: "512ae9b8-ec23-586b-b5f1-6147c9e2a1c8",
      project: "gid://gitlab/Project/20"
    }
  ) {
    clientMutationId
    errors
    issue {
      id
    }
  }
}
  6. Click Execute Query
  7. The GQL response should contain a gid for the created issue containing the issue number, e.g. gid://gitlab/Issue/123
  8. Visit the corresponding issue on the project page to check the issue content.

This MR also impacts the workflow when creating an issue from the vulnerabilities page. To validate this:

  1. Find a vulnerability that does not have an existing linked issue at Security and Compliance -> Vulnerability Report
  2. Click the Vulnerability description and then click Create Issue
  3. On the subsequent New Issue page click Create Issue
  4. Check the resulting issue is displayed correctly

Technical notes

  • The largest change in this MR is the removal of a lot of spec boilerplate from ee/spec/services/ee/issues/create_from_vulnerability_service_spec.rb (renamed from create_from_vulnerability_data_service_spec.rb). Most of the contextual behaviour of that spec was actually executing conditional code in the view ee/app/views/vulnerabilities/issue_description.md.erb. Consequently I've simplified the service class spec and added a spec for the view with some extra coverage.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #385616 (closed)

Edited by Malcolm Locke

Merge request reports