Show no warning in Vulnerability Report page when scanning jobs fail because of vulnerabilities
Release notes
Technical change, not needed
Problem to solve
Security Scanners are changed so that they return a non-zero exit code when vulnerabilities are found, but in that case the Vulnerability Report shows a warning when scanning jobs have failed, even if allowed to fail. This UI is misleading, and users might believe the scanning jobs have not been properly set up.
Proposal
Change the Vulnerability Report page so that it only shows warning when the scanning jobs fail AND are not allowed to fail.
Implementation plan
-
Update EE:Ci::Pipeline#latest_failed_security_buildsand its specs
Further details
See current behavior documented in #324634 (comment 530475911)
In a scenario where scanning jobs start to fail, or when scanning jobs fail from the beginning and are allowed to fail, the
Vulnerability Reportpage shows a warning, but the information presented on the page is accurate. This behavior has been tested with failing Dependency Scanning jobs.
The badge is only displayed if the pipeline.latest_failed_security_builds.count is greater than zero.
EE:Ci::Pipeline#latest_failed_security_builds should be changed to reject the Build objects where allow_failure? is true (failed but allowed to fail).
def latest_failed_security_builds
security_builds.select(&:latest?)
.select(&:failed?)
endlatest_failed_security_builds isn't used anywhere else.
Permissions and Security
No change
Documentation
No change
Availability & Testing
At least 2 test cases are needed:
- UI shows a warning when scanning jobs fail but are NOT allowed to fail
- UI shows NO warning when scanning jobs fail but are allowed to fail
Is this a cross-stage feature?
This is a section-wide issue.