Pipeline Security Report: Generic security report items of type `commit` construct incorrect link when gitlab instance is under a relative URL
Summary
When a gitlab instance is installed under a relative url any generic security report item will construct an incorrect link:
The link does not include the relative URL which the instance has been set up with.
Note: This only happens on the pipeline's security tab and does not affect the vulnerability details page.
Steps to reproduce
- Follow these instructions to run a local instance with a relative URL: https://docs.gitlab.com/ee/install/relative_url.html#enable-relative-url-in-gitlab
- Create a new project
- Add a
.gitlab-ci.ymlfile with the following contents:
stages:
- dast
dast:
stage: dast
image: alpine:3.10.2
script:
- pwd
artifacts:
reports:
dast: dast.json
- Add a new file
dast.jsonwith the contents from: $2136483 - Run a pipeline
- Go to the pipeline's result and click the "security" tab
Example Project
What is the current bug behavior?
The constructed URL will not include the defined relative URL and will link to a non-existing URL.
What is the expected correct behavior?
It should correctly link to the given commit.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)
Possible fixes
POC commit that adds a separate URL coming from the backend, which can safely be used for both the pipeline- and vulnerability details view: f15069d2