Dismissed vulnerability findings don't always show as dismissed (strike-through)
Summary
Dismissed vulnerability findings don't always show as dismissed (strike-through).
At first glance, it looks as if the correct "state" is provided by the backend in these cases (i.e., "dismissed"
).
Steps to reproduce
- Visit !37252 (merged)
- Observe the SAST findings in the MR widget
- Note that only the first finding is struck through ("Password in URL")
- Note that the next few findings down (e.g., "Google GCP service account", or "PKCS8 key") are not struck through, but if you open them in modals, have a note saying they were in fact dismissed.
Example Project
Example MR (though I suspect this applies a many places): !37252 (merged)
What is the current bug behavior?
Not all (most?) vulnerability findings that have been dismissed are not displayed as struck-through.
What is the expected correct behavior?
Vulnerability findings that have been dismissed should always be displayed as struck-through.
Relevant logs and/or screenshots
This was video taken from !37252 (merged) at the time of writing.
Output of checks
This bug happens on GitLab.com
Possible fixes
I thought initially this was a project_fingerprint
mismatch, but @gonzoyumo pointed out that these findings wouldn't have any feedback attached to them in the modal.
Another possibility is that the isDismissed
property on a vulnerability is not reliably set according to the provided data.
[Savas]: My initial guess after digging a bit into this is that the isDismissed
property is not set reliably. #231003 (comment 385439861) contains a more detailed explanation on this but in order to make this more visible directly in the MR description I'm going to quote my findings here as well:
Now that I dug deeper I can see that the
app/assets/javascripts/reports/components/report_item.vue
file has aissue.isDismissed
check to set the strike-through. My initial guess is that this is not set properly. I'm trying to figure out where it's set now. It seems to be this file:ee/app/assets/javascripts/security_dashboard/store/modules/vulnerabilities/mutations.js:98
where we set theisDismissed
state.