Dependency Scanning: remediation using Resolve with merge request is broken
Summary
The Resolve with merge request
button in the dependency scanning security dashboard produces an error
Steps to reproduce
-
Import this example project, for example here
-
Run a pipeline for the new merge request
-
Click on
More info
in the security tab for the pipeline result -
Error message
There was an error creating the merge request
is displayed
Example Project
https://gitlab.com/adamcohen/yarn-autoremediation-test3
What is the current bug behavior?
Error message There was an error creating the merge request
is displayed
What is the expected correct behavior?
New merge request is created with the diff from the dependency scanning report applied
Relevant logs and/or screenshots
I've reproduced this locally and the following error message shows up in the logs:
2019-12-19_06:14:05.22746 praefect-gitaly-0 : time="2019-12-19T17:14:05+11:00"
level=warning msg="finished streaming call with code FailedPrecondition"
correlation_id=IDUGLxJTVg1 error="rpc error: code = FailedPrecondition desc =
Patch failed at 0001 Fix Vulnerability - Authentication bypass via incorrect DOM
traversal and canonicalization in saml2-js
When you have resolved this problem, run \"git am --continue\".
If you prefer to skip this patch, run \"git am --skip\" instead.
To restore the original branch and stop patching, run \"git am --abort\"."
grpc.code=FailedPrecondition grpc.meta.auth_version=v1
grpc.meta.client_name=gitlab-web grpc.method=UserApplyPatch
grpc.request.deadline="2019-12-19T17:15:00+11:00"
grpc.request.fullMethod=/gitaly.OperationService/UserApplyPatch grpc.service=gitaly.OperationService
grpc.start_time="2019-12-19T17:14:05+11:00"
grpc.time_ms=83.896 peer.address= pid=19262 span.kind=server system=grpc
Interestingly, if you download the patch:
and apply it manually, it works fine:
(~/security-products/yarn-autoremediation-test) (17:18:%) git apply remediation.patch
(~/security-products/yarn-autoremediation-test) (17:18:%) git st
On branch curable
Your branch is up to date with 'origin/curable'.
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git checkout -- <file>..." to discard changes in working directory)
modified: yarn.lock
Output of checks
This bug happens on GitLab.com
Other considerations
As part of this bug fix, adequate test coverage should be added to ensure this type of issue is caught automatically in the future.