Skip to content

Create issue from MR finding sets created vulnerability state to confirmed instead of detected

In !130390 (merged) we switched from using the deprecated Projects::VulnerabilityFeedbackController#create REST endpoint to using the securityFindingCreateIssue Graphql mutation when creating an issue from the Pipeline -> Security tab.

In both the old and new implementations, when the issue is created, a vulnerability is also created. Unfortunately the Graphql mutation sets the vulnerability state to confirmed when the vulnerability is created instead of detected.

The original REST call creates the vulnerability as either dismissed or detected.

The Graphql service sets the state to confirmed.

Note that as well as 'create issue from finding', 'create MR from finding' also sets the state to confirmed which is probably also incorrect.

Verification steps

  • Visit this verification MR which introduces a new finding into the verification project
  • Go to Pipeline -> Security on the MR pipeline
  • Click the 'Create Issue' button on the right hand side
  • Go to Security -> Vulnerability Report in the main nav
  • The MR vulnerability should not be visible
  • Merge the MR
  • Go to the vulnerability report
  • Filter the vulnerabilities by only 'Needs triage' under 'Status' and 'Has issue' under 'Activity'
  • The vulnerability should be visible

This duplicates the steps in the E2E test which was quarantined before this issue was addressed

Edited by Malcolm Locke