Dismissal of single SAST IaC Pipeline Finding results in mass dismissal

Summary

Dismissal of a single Category:SAST IaC vulnerability results in mass-dismissal of all vulnerabilities

Steps to reproduce

  1. Fork https://gitlab.com/gitlab-org/security-products/tests/ansible
  2. Simplify CI (simultaneously triggering new pipeline) https://gitlab.com/theoretick/ansible-goop/-/commit/a352885d42fc5535b587ecfb6d6d6da99eecfe00
  3. Once pipeline has completed, dismiss a single finding on pipeline security tab
  4. Reload page
  5. Note all findings have been dismissed

Example Project

https://gitlab.com/gitlab-org/security-products/tests/ansible

What is the current bug behavior?

  1. Dismissal of single finding dismisses multiple

What is the expected correct behavior?

  1. Dismissal of single finding should dismiss only the expected one

Relevant logs and/or screenshots

Screen_Shot_2022-01-19_at_2.09.23_PM

Output of checks

This bug happens on GitLab.com

Possible fixes

This bug occurs due to the current way we retrieve feedback for findings. Once we move to using UUID for feedback, this issue should be resolved.

Implementation plan

  • backend The Security::FindingsFinder class is using the same dismissed vulnerability for all of the security findings.
    • The vulnerability_for method is most likely the culprit here, needing to change the search from using project_fingerprint to uuid
Edited by Jonathan Schafer