Explain This Vulnerability: Fix cached AI responses sometimes returning before they're subscribed to
For the Explain This Vulnerability feature on the vulnerability details page, when the user clicks the "Try it out" button, we immediately call a GraphQL mutation to do the AI request, but at the same time we also subscribe to a GraphQL subscription to get the AI response.
Previously, this didn't cause problems because it always takes the AI service at least several seconds to respond, so the subscription was always ready before we get the response message through the subscription.
Now that we cache the AI response and it responds quickly, sometimes the response is sent before the subscription is ready, and the message is lost. This causes the drawer to infinitely show the loading state because it's waiting for a message that it already missed.
This is only reproducible on production. Locally, the subscription is ready too quickly, but on production it's slower, giving the cached response time to get ahead of it.
Example production vulnerability that can reproduce the issue: https://gitlab.com/gitlab-org/security-products/tests/webgoat.net/-/security/vulnerabilities/88473794
Implementation plan
Wait for the subscription to be ready before doing the AI request GraphQL mutation. There's no way to directly observe the confirm_subscription
message through Vue Apollo v3 (they only added a loading state to subscriptions in v4), but we can infer it because once the subscription is ready, we will always get an empty aiCompletionResponse
. We currently ignore this, but we can hook into it instead: