Provide instructions for expired results in finding modal
What does this MR do and why?
During the rollout of the standalone_finding_modal_merge_request_widget
feature flag, I noticed a bug which affects the new finding modal in context of the "MR security widget" when the pipeline has expired.
Summary of bug
for older MRs where the pipeline has expired there is a discrepancy. Findings are still shown in the "MR security widget" because they use the report artifacts while GraphQL API (that the new modal uses) uses the database records. The finding will not exist anymore in the database records due to the retention policy, but the report artifacts still exist. Therefore, the finding is still shown in the "MR security widget" but when opening the new modal after clicking the finding, an error message is shown, because the finding is not found with the GraphQL API. The old modal did work because it's not using the GraphQL API.
Once Use security_findings for security MR widget re... (#390185) • Michael Becker • 17.6 • At risk is implemented, this discrepancy will be resolved and we can remove this specific warning alert.
Example error
Visit https://staging.gitlab.com/govern-team-test/vulnerabilities-feedback-tests/security-reports/-/merge_requests/3 (the feature flag is enabled only on staging) and expand MR Security widget and select one of the findings. You can see the new modal shows the error. You might also see a console error, this is semi-related but happening in mr_widget_security_reports.vue
. It's also related to the fact that no finding is found. I'll look into that in a follow-up.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Prerequisites
- You need an EE license
- You need to have runners enabled (See $2408961 for setting up a runner)
Validate
- Enable feature flag:
echo "Feature.enable(:standalone_finding_modal_merge_request_widget)" | gdk rails c
- Import https://gitlab.com/gitlab-examples/security/security-reports (even if you already have one, import a new one)
- Do not run pipeline on master yet
- In
.gitlab-ci.yml
file comment out lines 3 and 4 soDependency-Scanning
does not run. Commit change to main directly without MR. - Wait until the pipeline is finished
- In
.gitlab-ci.yml
file uncomment lines 3 and 4. Commit to a new branch and open an MR. - In the MR, expand the "MR security widget".
- Select a finding.
- I haven't succeeded in properly expiring the pipeline report (while still allowing the report artifacts to exist), so I suggest mocking the response of a
null
finding - In Vue devtools, find the StandaloneFindingModal component. Look for the
finding
data and edit and set tonull
. - Validate that the new "no finding" warning alert is shown and no footer action buttons are shown.