Skip to content

Fix vulnerability status bulk updates

Lorenz van Herwaarden requested to merge fix-failed-update-vulnerability-batch into master

What does this MR do and why?

Recently, due to these 2 MRs:

  1. Fix no author shown when changing state of vuln... (!114569 - merged) • Lorenz van Herwaarden • 15.10
  2. Add dismissal reason to vulnerability state dro... (!116287 - merged) • Lorenz van Herwaarden • 15.11

the size of the vulnerability status mutations increased significantly. This caused the following bug where bulk updating vulnerability statuses can fail.

When changing the status in bulk, the graphql mutations get batched per 10. Because the mutation payload has increased recently, we're above the limit of 10.000 characters for graphql queries/mutations.

This MR does the following to reduce the payload:

  • of fields that were added in the aforementioned MRs, remove the ones that aren't used
  • do not use a fragment for the last state transition as this increases the character count too

Relates to #405254 (closed)

How to set up and validate locally

Run tests

yarn jest ee/spec/frontend/vulnerabilities/vulnerability_state_dropdown_spec.js
yarn jest ee/spec/frontend/vulnerabilities/vulnerability_state_dropdown_deprecated_spec.js
yarn jest ee/spec/frontend/vulnerabilities/header_spec.js
yarn jest ee/spec/frontend/security_dashboard/components/shared/vulnerability_report/selection_summary_spec.js

Changing status

Prerequisites

  1. You'll need an EE license
  2. You'll need to have runners enabled (See $2408961 for setting up a runner)
  3. Import https://gitlab.com/gitlab-examples/security/security-reports
  4. Run a pipeline on master
  5. Either impersonate a normal account or fake the authenticated request query complexity limit by modifying ADMIN_MAX_COMPLEXITY in app/graphql/gitlab_schema.rb to 250 instead of 300.

Changing status of vulnerability from detail page works

  1. Go to any vulnerability detail page via the Vulnerability Report of security-reports project
  2. Change the status via the status dropdown and validate that it works as expected (update status, shows status in header, updates selected status in dropdown)

Changing status of vulnerabilities in bulk

  1. Go to the Vulnerability report of security-reports project
  2. Select many vulnerabilities (> 10) and change status
  3. Validate that there status is effectively changed and toast message appears

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Lorenz van Herwaarden

Merge request reports