Skip to content

Use merge_base_pipeline for security report comparison MR widget

What does this MR do and why?

Use the merge basis for the security widget instead of comparing against the head of the target branch. Comparing against the head causes bogus results to be displayed in the diff the same as diffing the source that way would. I think the list of widgets using the merge basis should be dropped in favor or always using it, but I don't want to block this change with that discussion.

The secrets diff seems broken completely and never works (as I have observed in gitlab.com projects).

Solves Use merge base for security MR widget (&10092 - closed).

Screenshots

Making no changes to vulnerabilities

Target branch removes one vulnerability after the MR branch was created. Ironically, that vulnerability is shown as "fixed" in the MR branch even though it is present in the pipeline report.

BEFORE 1.none.before

AFTER 1.none.after

Adding a vulnerability in MR branch

Same branch point as the first screenshots, but adding a SAST vulnerability to show the diff still works.

BEFORE 2.new.before

AFTER 2.new-after

How to set up and validate locally

Create empty project with .gitlab-ci.yml:

sast:
  script:
    - echo hi
  artifacts:
    reports:
      sast: gl-sast-report.json
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

Include static report files (copy/paste/modify from other projects or handcraft).

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Issue: #295167 (closed)

Edited by Neil McCorrison

Merge request reports

Loading