Reflect user comment on vulnerability state change system note
When a user modifies the state (typically dismissal) of a vulnerability, they are able to add a comment. The current designs express desire to reflect this comment in the system note.
#267582[design_1682361393951.png]
Due caution will be necessary however, that we carefully check the contents of this field before presenting it, as we will need to check for and appropriately handle:
- Empty comment
- Overlong comment
- Attempted code injection (x-site scripting) or other tampering.
- Other possible bad behaviour.
Implementation Plan
-
backend modify
SystemNotes::VulnerabilitiesService#state_change_body
inee/app/services/system_notes/vulnerabilities_service.rb
to include the user comment (if provided) in the system note generated.
Edited by Malcolm Locke