Skip to content

Bug: Resolve MR link appearing in ETV

There's an edge case with the explain vuln / resolve vuln where the MR link would appear on the explain this vulnerability drawer when the user triggers multiple AI actions in a very specific manner:

Click on the "Explain this vulnerability" 
  |--> immediately close the drawer 
    |--> click on the "Resolve with AI" 
      |--> immediately click on the "Explain this vulnerability"
Screenshot Video
image mr-link-appearing-in-etv

Steps to reproduce

  1. Have the related FF enabled: echo "Feature.enable(:resolve_vulnerability_ai)" | rails c
  2. In order to run a pipeline to generate a Vulnerability report, you'll need an EE license.
  3. Fork https://gitlab.com/gitlab-org/security-products/tests/webgoat.net
  4. Run a pipeline against the default branch. It will generate vulnerabilities.
  5. Go to the project vulnerability report page
  6. Click on the "Explain this vulnerability", and immediately close the drawer
  7. Click on the "Resolve with AI", and immediately click on the "Explain this vulnerability"

Note: this can be quite tricky to reproduce. Tips:

  1. An easy way to trigger it is to see how long it takes on average to create the MR, then subtract a second or two and open the Explain Vuln drawer
  2. OR to make it even easier, comment out the code that redirects the user and make it so that the drawer doesn't call the aiAction mutation when it's opened. Then just click the resolve button, open the drawer, then wait. You can utilize this patch > reproduce-ai-race-problem.patch

Example Project

https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/webgoat.net-for-issue-428133

What is the expected correct behavior?

The explain vulnerability should NOT display the output of the AI generated MR link.

Possible fixes

We can fix it by sending a different aiAction variable for explain vuln and resolve vuln: https://gitlab.com/gitlab-org/gitlab/-/blob/9c2a34e90127eb54dd230a4eaa575262e6ba2a[…]hared/subscriptions/ai_completion_response.subscription.graphql

The AiAction seems to accept only ENUM values, and currently, it only supports the "CHAT" parameter. So some backend updates will also be needed.

image

  1. backend adds support for "RTV" and "ETV" in action_enum.rb
  2. frontend updates the subscription and send a different aiAction variable.
    1. RTV: headers.vue
    2. ETV: explain_vulnerability_drawer
Edited by Samantha Ming