Issues created from Standalone Vulnerabilities should link to specific file versions in finding branch instead of default branch
Summary
Issues created from Standalone Vulnerabilities have the field Location link to the finding on the default branch (ie. master) instead of linking to a specific commit id.
If lines are added/removed to that file on master (which might be unrelated to the vuln), then the link in the issue points to the wrong line.
NOTE: This has been fixed for the existing Security Dashboards but we need to ensure this same functionality persists once we move to Standalone (ie. First-Class) Vulnerabilities.
Steps to reproduce
- In a project that has SAST findings & has the first_class_vulnerabilities feature flag enabled, go to the Security Dashboard. (ex. https://gitlab.com/gitlab-org/defend/webgoat/-/security/vulnerabilities)
- Click on a Vulnerability and click on
Create Issuefrom the Vulnerability page. - In the created issue, inspect the link for
Location. It links tomasterinstead of a commit id.
Example Project
https://gitlab.com/gitlab-org/gitaly/issues/2421
What is the current bug behavior?
When an issue is created from a finding, Location links to the version of the file on master.
What is the expected correct behavior?
When an issue is created from a finding, Location links to the version & branch of the file in which the finding was made.
Implementation checklist
-
backend -
Change location from Create Issueto point to location, not default branch
-