Skip to content

Security Widget contradict the security bot comment

Summary

When Merge Request Policies is enabled, the Merge Request security widget would contradict the security bot comment if the target branch commit have been many time and the latest pipeline doesn't have a security report.

Steps to reproduce

  1. Have a merge approval policy in place
  2. Create branch B from master branch (so technically, they both have the same vulnerabilities)
  3. Make sure the latest commit on master doesn't have a pipeline or security report
  4. Create a merge request (use a merge result pipeline) and introduce change that doesn't have new vulnerabilities and run the pipeline with GitLab Advanced SAST.
  5. When the pipeline complete, we observe the MR requires approval. The security scanning widget shows existing vulnerabilities as potential new vulnerabilities and security bot commenting existing vulnerabilities as new vulnerabilities (note the bot comment)
  6. Run a pipeline on master with GitLab Advanced SAST. Once the pipeline the complete there should be a security reports
  7. Observe the MR security scanning widget updated to Security scanning detected no new potential vulnerabilities and the security bot update the comment to no security violation.
  8. Add new commit or trigger a pipeline for master that doesn't run GitLab Advanced SAST and wait for the pipeline to complete.
  9. Observe the MR security scanning widget doesn't change but the bot updated the comment back to the one we observed when there's no report on the target branch
policy.yml 
approval_policy:
  - name: test security scanning
    description: ''
    enabled: true
    actions:
      - type: require_approval
        approvals_required: 1
        user_approvers_ids:
          - 786864
          - 9933365
          - 10876411
          - 11418272
      - type: send_bot_message
        enabled: true
    rules:
      - type: scan_finding
        scanners:
          - sast
        vulnerabilities_allowed: 0
        severity_levels:
          - critical
          - high
          - medium
        vulnerability_states: []
        branches:
          - develop
    approval_settings:
      block_branch_modification: false
      prevent_pushing_and_force_pushing: false
      prevent_approval_by_author: false
      prevent_approval_by_commit_author: false
      remove_approvals_with_new_commit: false
      require_password_to_approve: false
    fallback_behavior:
      fail: closed

Example Project

https://gitlab.com/rotanak_ultimate_group/training/sast-railsgoat/-/merge_requests/29

What is the current bug behavior?

What is the expected correct behavior?

Relevant logs and/or screenshots

image

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by Sokunrotanak Srey (Rotanak)