Skip to content

Update SAST auto-resolution comment to include link with more context

What does this MR do and why?

This merge request updates the vulnerability auto-resolution comment to include a documentation link with more context.

Please note: I disabled the GitLab/DocUrl rubocop for this method because the comment is saved as a System Note (see screenshots below), and therefore, html tags (e.g. <a href=""></a>) are escaped and not displayed. I don't mind using help_page_url helper in principle, but for the use case here, we want to make sure to refer users to our own documentation and not the documentation on their GitLab instance.

Resolves #417087 (closed).

Screenshots or screen recordings

Before After
Screenshot_2023-09-01_at_1.37.24_AM Screenshot_2023-09-01_at_1.36.28_AM

How to set up and validate locally

To validate locally, please do the following:

  • Create a new project or use an existing one.
  • Add some vulnerable code to your project. Check here for some examples.
  • Add a .gitlab-ci.yml file, and include SAST CI template.
  • Run a new pipeline after all code changes above are done. Some vulnerabilties should show up in the Vulnerability Report.
  • Disable one of the predefined rules for semgrep by adding a .gitlab/sast-ruleset.toml file.
  • Make sure the rule you disable matches in type and value with a vulnerability in Vulnerability Report (check identifier column).
  • Run a new pipeline after committing the .gitlab/sast-ruleset.toml file.
  • Validate that the vulnerability was resolved with the correct comment body.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Ahmed Hemdan

Merge request reports

Loading