Skip to content

Include child pipeline scans in MR security widget

Malcolm Locke requested to merge 386496-include-project-descendent-pipelines-in-mr-security-widget into master

What does this MR do and why?

In #386496 (closed) it was reported that findings already detected in the mainline branch on a project are incorrectly reported as new findings if the mainline branch runs security scans in a child pipeline and the MR pipeline scans do not run in a child pipeline.

Although this reported behaviour is a very specific scenario, there is a more general bug where reports generated by child pipelines are not included when the parent pipeline is queried. This MR fixes that issue.

I have added some basic feature specs for the MR security widget as part of this MR as I couldn't find any existing ones.

Screenshots or screen recordings

Before

Screenshot_from_2023-02-28_15-45-46

After

Screenshot_from_2023-02-28_15-31-36

How to set up and validate locally

  1. git clone git@gitlab.com:gitlab-org/secure/tests/verify-386496-4.git
  2. Add a new project on your local instance and push the repo above to it.
git remote rename origin oldorigin
git remote add origin ssh://<gdk_project_url>
git push origin
  1. Allow a couple of minutes for the pipeline to run, then check Security -> Vulnerability Report. You should see 2 vulnerabilities.
  2. Push the demo MR branch
git switch -c non-child-pipeline-branch oldorigin/non-child-pipeline-branch
git push origin non-child-pipeline-branch
  1. Create an MR from the newly created branch.
  2. Reload the newly created MR page and you should see the MR security widget showing the 2 previously detected vulnerabilities as new Screenshot_from_2023-02-28_16-24-12
  3. Switch to this MR branch in your GDK:
git switch 386496-include-project-descendent-pipelines-in-mr-security-widget
  1. As the security MR widget uses the reactive cache, clear the Rails cache to ensure you do not see the old result from master 
rails cache:clear
  1. Reload the MR page and you should not longer see the vulnerabilities as new Screenshot_from_2023-02-28_16-53-15

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #386496 (closed)

Edited by Malcolm Locke

Merge request reports