Correctly compute blob URL for Secret Detection
What does this MR do and why?
Correctly computes the blob URL linking to the location of a vulnerability finding for analysers which perform scans on historical commits.
The previous logic solely used the latest commit SHA of the pipeline branch. This works fine for analysers which only scan the current state of the repository. This doesn't work for analysers like Secret Detection which can be configured to perform a scan over the full Git history. If this scanner reports a leaked secret on a previous revision of a file, the Vulnerability Report UI needs to link the user to that specific commit, not the most recent commit on the pipeline branch.
See the following issues for more context:
Screenshots or screen recordings
This finding relates to a PGP key I committed at ceb666b7:
and the link to badfile-1:1 is correctly pointing to http://gdk.test:3000/root/testing-398036/-/blob/ceb666b75cf3d4e7c71f5328f02c791849bde6ad/badfile-1#L1 despite the most recent pipeline (which produced that vulnerability finding) having run on commit 1a7ce3b0:
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.