SAST MR Widget displays wrong results
Summary
Originally reported via this ticket (internal only)
If a scan is running for the main branch and a newly created MR triggers a new scan; The MR widget will display "Security report is out of date." and also incorrectly report previously reported vulnerabilities
Steps to reproduce
In a sast enabled project:
- Trigger a pipeline in main
- While the previous one is running, create an MR
Example Project
This project can be used as an example
What is the current bug behavior?
Old vulnerabilities are displayed
What is the expected correct behavior?
Old vulnerabilities shouldn't be displayed
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Implementation Plan
-
backend modify the base_pipeline
(andmerge_base_pipeline
if necessary) method(s) called by comparison_base_pipeline to select the latest complete pipeline for use in the comparison of reports.
Edited by Gregory Havenga