Include child pipeline scans in MR security widget
What does this MR do and why?
In #386496 (closed) it was reported that findings already detected in the mainline branch on a project are incorrectly reported as new findings if the mainline branch runs security scans in a child pipeline and the MR pipeline scans do not run in a child pipeline.
Although this reported behaviour is a very specific scenario, there is a more general bug where reports generated by child pipelines are not included when the parent pipeline is queried. This MR fixes that issue.
I have added some basic feature specs for the MR security widget as part of this MR as I couldn't find any existing ones.
Screenshots or screen recordings
Before
After
How to set up and validate locally
git clone git@gitlab.com:gitlab-org/secure/tests/verify-386496-4.git
- Add a new project on your local instance and push the repo above to it.
git remote rename origin oldorigin
git remote add origin ssh://<gdk_project_url>
git push origin
- Allow a couple of minutes for the pipeline to run, then check Security -> Vulnerability Report. You should see 2 vulnerabilities.
- Push the demo MR branch
git switch -c non-child-pipeline-branch oldorigin/non-child-pipeline-branch
git push origin non-child-pipeline-branch
- Create an MR from the newly created branch.
- Reload the newly created MR page and you should see the MR security widget showing the 2 previously detected vulnerabilities as new
- Switch to this MR branch in your GDK:
git switch 386496-include-project-descendent-pipelines-in-mr-security-widget
- As the security MR widget uses the reactive cache, clear the Rails cache to ensure you do not see the old result from
master
rails cache:clear
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #386496 (closed)