Dismissing a finding from the pipeline modal does not set the vulnerability dismissed_at and dismissed_by
Why are we doing this work
The migration done in #405032 (comment 1382464652) left a few thousand rows behind. As @plafoucriere reported it in the original issue, we'd like to finish the migration so the affected project has correct data.
Update: this seems to be caused by something else. The example vulnerabilities were created after the bug was fixed and after the migration finished. Also, the information displays in the UI but not in GraphQL (see internal comment).
The issue seems to be that the GraphQL mutation used to dismiss a finding from the pipeline page does not set Vulnerability#dismissed_by
and Vulnerability#dismissed_at
. Ultimately this appears to be due to Security::Findings::DismissService#create_and_dismiss_vulnerability
not setting these attributes.
Implementation plan
- Update
Security::Findings::DismissService#create_and_dismiss_vulnerability
to useVulnerabilities::DismissService
- see https://gitlab.com/gitlab-org/gitlab/-/blob/b4e9e041e6f31de4643407f14544d6881ebe0264/ee/app/graphql/mutations/vulnerabilities/dismiss.rb#L31-33 for an example
Verification steps
- Visit a project with a vulnerability finding on a pipeline.
- Go to 'Pipelines -> Pipeline -> Security'
- Click on a vulnerability and in the resulting modal click 'Add comment and dismiss'
- Fill in a comment and click 'Add comment and dismiss'
- Visit 'Security -> Vulnerability Report', change the status filter to 'Dismissed' and find the correct vulnerability id.
- Run the following GraphQL query substituting the correct VULN_ID:
query {
vulnerability(id: "gid://gitlab/Vulnerability/VULN_ID") {
id
title
updatedAt
dismissedAt
dismissedBy {
id
}
}
}
- Check that
dismissed_at
anddismissed_by
in the response are notnull