Fix no author shown when changing state of vulnerability
What does this MR do and why?
This MR correctly sets the author when changing vulnerability state.
Before, 2 bugs arose:
- If vulnerability is in "Needs triage" state, updating to another state would just e.g. "confirmed by" with any author. This is because the confirm mutation (but also dismiss and resolve mutations) didn't return who did the action. While that is used to determine the user from UsersCache.
- If vulnerability was changed to dismissed, resolved or confirmed state by someone else, and the current user would change to the state to dismissed, resolved or confirmed state, it would still show the previous user.
Screenshots or screen recordings
This recording shows a summary of how the author is properly set (impersonation is used to test another user making a state change).
How to set up and validate locally
You'll need an EE license & runners set up.
- import security-reports
- run a pipeline on master branch
- go to any vulnerability in the vulnerability report (that has Needs triage status)
- change status to any other status -> verify that the header renders confirmed/dismissed/resolved by ... administrator (or your local account name)
- go to security reports project members
/root/security-reports/-/project_membersand add "Amira Hermann" as member of the project - go to
/admin/usersand click on Amira Hermann - click impersonate
- go to same vulnerability you changed before
- change status of that vulnerability to dismissed/confirmed/resolved and verify that header now renders confirmed/dismissed/resolved by Amira Hermann
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Closes #390068 (closed)
Edited by Lorenz van Herwaarden