Skip to content

Fix `create_jira_issue_url` for unpersisted vulnerabilities(a.k.a. findings)

Mehmet Emin INAC requested to merge 327480_fix_jira_issue_template into master

What does this MR do and why?

Explanation about the feature

We have 2 different channels that users can create JIRA issues for a security vulnerability. The first one is the "Pipeline Security Tab" and the second one is the "Vulnerability Detail" page which can be accessed by the "Vulnerability Reports".

The "Vulnerability Detail" and "Vulnerability Reports" views work with the Vulnerability entity. Vulnerability means, the security vulnerability is on the default branch and a real threat. On the other hand, the "Pipeline Security Tab" works with the Vulnerabilitis::Finding entities, and the records in that list can be already existing on the default branch or not.

Here we have this if vulnerability.is_a?(Vulnerability) check because we are giving a link back to GitLab and we can create URLs for only the records we have in our database. This means, if the security vulnerability hasn't been merged into the default branch, there is no way to create a URL because it doesn't have an ID.

We have similar checks to this in this file here and here.

What is changed with this MR

This MR changes the template file for the JIRA issue description for security vulnerabilities to do not try to generate backreference URLs. This is necessary as this template is used with both Vulnerability and Vulnerability::Finding records.

Related to #327480 (closed), https://sentry.gitlab.net/gitlab/gitlabcom/issues/2494517.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Mehmet Emin INAC

Merge request reports

Loading