Update vulnerability_read when vulnerability dismissed
requested to merge 424989-dismissing-finding-does-not-set-dismissal-reason-on-vulnerability into master
What does this MR do and why?
As part of Implement dismissal_reason field on the
Vulnerability::Read model, we updated
vulnerabilities/dismiss_service.rb to update the existing state
transition.
We also updated Vulnerability::Read for pipeline finding as part of
this change.
But we also need to update Vulnerability::Read model when we are
interacting with finding from pipeline (when vulnerability already
exists), specifically in the situation where we are changing the state
from a non-dismissed state to dismissed
Screenshots or screen recordings
| Before | After |
|---|---|
| before | after |
How to set up and validate locally
Steps to reproduce
- Go to a pipeline security tab: https://gitlab.com/gitlab-examples/security/security-reports/-/pipelines/997006012/security?severity=MEDIUM&reportType=DAST
- Click info icon of a non-dismissed finding
- Click dismiss vulnerability (add dismissal reason and comment)
- Click Confirm Dismissal
- If you open the modal of the same finding again, you'll see in the event note it's correctly dismissed with the reason and comment you provided
- Go to vulnerability report: https://gitlab.com/gitlab-examples/security/security-reports/-/security/vulnerability_report/?severity=MEDIUM&scanner=GitLab.DAST&state=ALL
- Find the same vulnerability you just dismissed
- Notice that in the table the status is Dismissed
- There should also be a badge for the dismissal reason
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
EE: true
Changelog: fixed
Related to #424989 (closed)
Edited by Michael Becker