Use merge_base_pipeline for security report comparison MR widget
What does this MR do and why?
Use the merge basis for the security widget instead of comparing against the head of the target branch. Comparing against the head causes bogus results to be displayed in the diff the same as diffing the source that way would. I think the list of widgets using the merge basis should be dropped in favor or always using it, but I don't want to block this change with that discussion.
The secrets diff seems broken completely and never works (as I have observed in gitlab.com projects).
Solves Use merge base for security MR widget (&10092 - closed).
Screenshots
Making no changes to vulnerabilities
Target branch removes one vulnerability after the MR branch was created. Ironically, that vulnerability is shown as "fixed" in the MR branch even though it is present in the pipeline report.
BEFORE
AFTER
Adding a vulnerability in MR branch
Same branch point as the first screenshots, but adding a SAST vulnerability to show the diff still works.
BEFORE
AFTER
How to set up and validate locally
Create empty project with .gitlab-ci.yml:
sast:
script:
- echo hi
artifacts:
reports:
sast: gl-sast-report.json
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCHInclude static report files (copy/paste/modify from other projects or handcraft).
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Issue: #295167 (closed)