Vulnerability identifier shows as link even though it doesn't have a link
Summary
Identifiers in a vulnerability finding are always rendered as a link even when the identifier doesn't have a URL associated with it.
Steps to reproduce
- Create a vulnerability report with an identifier that doesn't have a link; e.g.:
"identifiers": [ { "type": "test", "name": "1", "value": "1" } ]
- Run a CI pipeline with a job that imports said report; e.g.:
container-scanning: script: - mv fake-report.json gl-container-scanning-report.json artifacts: reports: container_scanning: gl-container-scanning-report.json
- If the pipeline wasn't on the default branch, merge it so the findings show in the vulnerability report
- Open the vulnerability
Example Project
https://gitlab.com/thiagocsf-group/security-reports/-/security/vulnerabilities/4893215
What is the current bug behavior?
The identifier will show in the page as a link.
What is the expected correct behavior?
The identifier doesn't have a link.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Possible fixes
In ee/app/assets/javascripts/vulnerabilities/components/details.vue
line 285, don't use gl-link
when identifier.url
is empty/blank
285 <gl-link :href="identifier.url" data-testid="identifier" target="_blank">
286 {{ identifier.name }}
287 </gl-link>
<a data-testid="identifier" rel="noopener noreferrer" target="_blank" class="gl-link">
1
</a>