Pipeline Security Listing - GraphQL: Jira issues are not showing as expected
The GraphQL version of the pipeline security report (pipeline_security_dashboard_graphql
ff must be enabled to view) does not show Jira issues, but GitLab issues instead:
Jira Config | Pipeline Security Report |
---|---|
We have to support fetching the external issues by modifying the graphql query in the frontend. But even with that in place, see WIP MR, the response sporadically returns null
for the issue
(originally called externalIssue
) field.
On the vulnerability report page (where the frontend DOES already fetch the external issues) we have the same, the issue
in the VulnerabilityExternalIssueLink is sporadically null
(see graphql response below in details) for a vulnerability which has a jira issue created via the graphql mutation.
GraphQL response vulnerability report
{
"data": {
"project": {
"id": "gid://gitlab/Project/19",
"vulnerabilities": {
"nodes": [
{
"id": "gid://gitlab/Vulnerability/574",
"title": "eval with argument of type Identifier",
"state": "DETECTED",
"severity": "CRITICAL",
"detectedAt": "2024-02-26T11:20:15Z",
"dismissalReason": null,
"vulnerabilityPath": "/gitlab-org/security-reports/-/security/vulnerabilities/574",
"resolvedOnDefaultBranch": false,
"userNotesCount": 0,
"falsePositive": false,
"hasRemediations": false,
"issueLinks": {
"nodes": [],
"__typename": "VulnerabilityIssueLinkConnection"
},
"mergeRequest": null,
"identifiers": [
{
"externalType": "eslint_rule_id",
"name": "ESLint rule ID security/detect-eval-with-expression",
"__typename": "VulnerabilityIdentifier"
},
{
"externalType": "cwe",
"name": "CWE-95",
"__typename": "VulnerabilityIdentifier"
}
],
"location": {
"blobPath": "/gitlab-org/security-reports/-/blob/7ebbbc843b903524bbaa5abe73f3c63f5bb7e873/src/html/index.html",
"file": "src/html/index.html",
"startLine": "15",
"__typename": "VulnerabilityLocationSast"
},
"project": {
"id": "gid://gitlab/Project/19",
"nameWithNamespace": "Gitlab Org / Security Reports",
"__typename": "Project"
},
"reportType": "SAST",
"scanner": {
"id": "gid://gitlab/Representation::VulnerabilityScannerEntry/546",
"vendor": "GitLab",
"__typename": "VulnerabilityScanner"
},
"__typename": "Vulnerability",
"externalIssueLinks": {
"nodes": [
{
"id": "gid://gitlab/Vulnerabilities::ExternalIssueLink/1",
"issue": null,
"__typename": "VulnerabilityExternalIssueLink"
}
],
"__typename": "VulnerabilityExternalIssueLinkConnection"
}
},
...
],
"pageInfo": {
"hasNextPage": false,
"hasPreviousPage": false,
"startCursor": "eyJzZXZlcml0eSI6ImNyaXRpY2FsIiwidnVsbmVyYWJpbGl0eV9pZCI6IjU3NCJ9",
"endCursor": "eyJzZXZlcml0eSI6ImxvdyIsInZ1bG5lcmFiaWxpdHlfaWQiOiI1NjgifQ",
"__typename": "PageInfo"
},
"__typename": "VulnerabilityConnection"
},
"__typename": "Project"
}
}
}
::Projects::Integrations::Jira::ByIdsFinder.new(object.vulnerability.project, issue_ids).execute
also returns nil
in external_issue_resolver.rb#L26.
How to reproduce / Setup
As a prerequisite, you need a Jira account with an API token. A free, or trial account is enough.
- Navigate to a project's "Settings -> Integrations -> Jira (configure)"
- Enable the integration + Jira Issues + "Jira issue creation from vulnerabilities" (see screenshot above)"
- Navigate to the project's pipeline security dashboard
Possible fix
We need to fetch the vulnerability externalIssueLinks on the pipeline listing page.
Verification steps
- Go to https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/verify-jira-activity-column/-/pipelines/1262366292/security
- Verify that in the activity column of the critical vulnerability, there is an issue for an issue. Hovering the badge shows the link to the jira issue. Clicking the link opens the correct jira issue in a new tab. (it's possible you might need to refresh the page because of the reactive cache. If the query wasn't requested recently, the reactive cache causes a background job to start after the first time the query is triggered. Next time when the query is triggered and the background job is finished, the jira issues will be included in the response)