Vulnerabilities reported in the (blocked) pipeline do not show on the security dashboards
Summary
When a pipeline on the default branch is blocked (e.g. manual stage) but the security jobs pass, it still reports the vulnerabilities in the pipeline. However, the dashboard shows them from the latest completed default branch pipeline.
This leads to confusion, since people see that the latest default branch pipeline reports different vulnerabilities than the dashboards.
Steps to reproduce
- Create a new project. You can clone https://gitlab.com/auto-devops-examples/minimal-ruby-app for simplicity. (You don't have to use a new project, but it makes it easier to see the bug.)
- Configure a project's default branch CI with at least one security scan and with one job (for example, a deploy job) that is set to manual (
when: manual
) so the pipeline will be blocked. - Run the pipeline.
- See the vulnerabilities reported in the pipeline security report.
- Go the project's security dashboard.
- See that the vulnerabilities do not appear on the dashboard.
Example Project
https://gitlab.com/avielle/minimal-ruby-app
What is the current bug behavior?
Vulnerabilities reported by a blocked default branch pipeline do not show up on the security dashboards.
What is the expected correct behavior?
Should behave similarly to failed pipelines (#35182 (closed))
Output of checks
This bug happens on GitLab.com
Implementation plan
-
backend Extend state transition that initiate creation of vulnerabilities in database to blocked pipeline state (https://gitlab.com/gitlab-org/gitlab/blob/master/ee%2Fapp%2Fmodels%2Fee%2Fci%2Fpipeline.rb#L60)
~bug security dashboard backend groupdynamic analysis devopssecure
Edited by Alan (Maciej) Paruszewski