Add commit link that removed vulnerability
Problem to solve
Today, we indicate when a vulnerability is no longer detected. However, we do not provide users a way to see when or where the vulnerability was removed/resolved. This makes it very difficult to find the specific commit associated with the vulnerability's removal. Security teams want to know this information so they can easily verify if the vulnerability was truly fixed or need further remediation action before they mark the vulnerability as Resolved
.
Solution
Provide a link to the commit that caused the vulnerability to be marked as no longer detected
. Show this link in the activity timeline. The commit can be used to easily find the source pipeline/MR associated with the change if this information is needed.
Verification Steps
- Go to this project
- Go to
Secure
>Vulnerability report
. There should be onevulnerability
found. - Open the vulnerability, and keep it open in a separate tab. The header and footer of the vulnerability should look like:
- In the repository, navigate to the
server.js
file, modify the file in your gdk. Modify the following line:const productId = req.params;
to:const productId = 1;
- Commit and push the changes
- Once the pipeline is done running, go back to the
Vulnerability report
page. Make sure to change theActivity
filter fromStill detected
toNo longer detected
. A vulnerability should be shown now. - Click on the vulnerability. It should look like the following screenshot: