No status-comment is created when dismissal reason changes
Summary
On the vulnerability details page, when the dismissal reason is changed (while staying within the dismissed state), a status comment isn't added to the discussions.
Steps to reproduce
- Change dismissal reason of this vulnerability in graphqlexplorer
mutation {
vulnerabilityDismiss(input: {id: "gid://gitlab/Vulnerability/78477784", dismissalReason: ACCEPTABLE_RISK} ){
vulnerability{
id
stateTransitions{
nodes{
dismissalReason
createdAt
fromState
toState
}
}
}
}
}
- Reload this vulnerability page and notice that the latest status comment mentions the first change to the dismissed status with false positive dismissal reason. "
@lorenzvanherwaarden
changed vulnerability status to Dismissed: False Positive"
Example Project
- This project: https://gitlab.com/gitlab-org/govern/threat-insights-demos/vulnerabilities-verification/
- This vulnerability: https://gitlab.com/gitlab-org/govern/threat-insights-demos/vulnerabilities-verification/-/security/vulnerabilities/78477784
What is the current bug behavior?
When the dismissed reason is changed, but the vulnerability status isn't, a status comment isn't created, while a stateTransition
is.
What is the expected correct behavior?
A status comment should be added with the correct dismissal reason
Relevant logs and/or screenshots
Output of checks
Possible fixes
Edited by Lorenz van Herwaarden