Customize Jira Issues for Finding Modal

Overview

The vulnerability details page currently supports the Customize Jira issue setting. When enabled, users are redirected to the Jira issue creation form, pre-filled with vulnerability details. There they can still edit the Jira issue before creating it themselves. This was the default behavior prior to 17.5. When the setting is disabled (default setting), a Jira issue is created in the background.

Problem

This setting is not currently supported in the finding modal, as we never implemented the legacy workflow there.

The redirect URL is constructed on the backend and is vulnerability/finding-specific since it contains the relevant data. On the vulnerability details page, this URL can easily be passed as server-rendered data. However, on the MR page (or pipeline security tab) where the finding modal appears, this approach is less ideal since we would need to pass URLs for all findings.

Proposed Solution

Create a new mutation for security findings that is used when customize_jira_issue_enabled is true. This mutation will create a vulnerability if there is no associated vulnerability yet and return jira_issue_form_url which holds the url to the jira issue creation form with pre-filled data of that vulnerability/finding. We need an associated vulnerability such that we can link from the Jira issue back to the vulnerability.

Feature flag

Guard frontend use of new mutation behind feature flag finding_create_jira_issue_form_url

Implementation Details

Verification steps

  1. Go to https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/create-jira-issue-from-finding/-/merge_requests/4
  2. Expand the security widget
  3. Click on a finding (not the first one, this was already has a linked jira issue that I created)
  4. Click "Create Jira issue"
  5. Verify it redirects to the Jira issue creation form, with details of the finding added
  6. Add report and create issue
  7. On the Jira issue, click on the link to the vulnerability
  8. Verify this goes back to Gitlab vulnerability details page of the finding (an associated vulnerability was created)
Edited by Lorenz van Herwaarden