Skip to content

Provide and edit dismissal reason in finding modal

Lorenz van Herwaarden requested to merge provide-and-edit-dimissal-reason-finding-modal into master

What does this MR do and why?

Relates to #412841 (closed)

This MR changes the way you dismiss a finding in the vulnerability finding modal by adding the required step to provide a dismissal reason. Instead of either simply dismissing or dismissing with a comment (split button), we can now only click dismiss which brings up a dismissal reason dropdown (required) and a comment textarea. Editing the dismissal (reason or comment) can be done in a similar way.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
before-dismiss-button after-dismiss-button
2-before-dismiss-section 2-after-dismiss-section
3-before-edit-section 3-after-edit-section
4-before-edit-pencil 4-after-edit-pencil
5-before-dismissed-without-comment 5-after-dismissed-without-comment

Validation required dismissal reason

after-required-dismissal

How to set up and validate locally

Prerequisites

  1. You need an EE license
  2. You need to have runners enabled (See $2408961 for setting up a runner)
  3. Import https://gitlab.com/gitlab-examples/security/security-reports
  4. Run a pipeline on master

Validation

  1. Go to a pipeline security tab, like e.g.: http://gdk.test:3000/root/security-reports/-/pipelines/1/security?severity=LOW
  2. Select the "More info" info icon of a non-dismissed finding
  3. Validate in the footer of the modal it contains a "Dismiss vulnerability" button
  4. Validate that after selecting that button, it shows an event item with Administrator and username @root, followed by an "edit" section where you can choose the dismissal reason and enter a comment
  5. Validate that if you provide no reason and you select "Confirm dismissal", it does not dismiss and instead shows an error message under the dismissal reason listbox
  6. Now provide a dismissal reason (no comment yet) and select "Confirm dismissal"
  7. Validate the modal closes
  8. Open the same finding modal again
  9. Validate that the event item shows "Dismissed", followed by the reason you provided
  10. Select the "Edit dismissal" pencil icon button
  11. Validate the dismissal reason is pre-filled now
  12. Now enter a comment this time
  13. Select "Confirm dismissal"
  14. Validate the modal closes, now open it again
  15. Validate that it the comment is shown below the event item of before, showing the comment. It also shows two icon buttons: "Edit dismissal" and "Remove comment".
  16. Validate that selecting "Edit dismissal" opens the edit section
  17. Validate that selecting "Cancel" closes the editing section
  18. Select "Undo dismiss"
  19. Validate that it closes the modal and the finding is now in Detected state again.

Note: when editing the dismissal above in step 10., it should be possible to also change the dismissal reason. The UI does not block this, so you can go ahead and change it, but the backend does not persist this change at the moment. This is an open bug: Make securityFindingDismiss mutation idempotent (#411210 - closed) • Gregory Havenga • 16.4 • On track

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Lorenz van Herwaarden

Merge request reports