Skip to content

Update RTV and ETV to use subscription ID

Samantha Ming requested to merge 435526-use-subscription-id-for-ai into master

What does this MR do and why?

Update "Resolve this vulnerability" (RTV) and "Explain this vulnerability" (ETV) to use a subscription ID. This ensures each AI feature subscribes and outputs the correct corresponding response.

It fixes a potential bug whereby the "Explain this vulnerability" will display the "Resolve this vulnerability" output of the MR link.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Bug (Before) Solution (After)
image etv-does-not-display-ai-mr-link

From the video, you can see that the drawer does not display the AI-generated MR link. The "Resolve with AI" request did make it through as evidenced by the increased MR count (43 to 44). This is what is expected 👍

How to set up and validate locally

  1. Have the related FF enabled: echo "Feature.enable(:resolve_vulnerability_ai)" | rails c
  2. In order to run a pipeline to generate a Vulnerability report, you'll need an EE license.
  3. Fork https://gitlab.com/gitlab-org/security-products/tests/webgoat.net
  4. Run a pipeline against the default branch. It will generate vulnerabilities.
  5. Go to the project vulnerability report page
  6. Click on the "Explain this vulnerability", and immediately close the drawer
  7. Click on the "Resolve with AI", and immediately click on the "Explain this vulnerability"
  8. The drawer should not display the AI generated MR link from the "Resolve with AI" action

Note: this bug is quite tricky to reproduce. So apply this patch:

delay-etv.patch

What this patch is doing:

  • Based on my local condition, it takes on average 7-8 seconds to generate the AI MR.
  • So I added a setTimeout to defer the "Explain this vulnerability response" by 20 seconds.
  • If the bug still exists, the ETV drawer will display the RTV response.
  • If the bug is successfully fixed, the ETV drawer will display the loading status until its own AI response (markdown) is ready.

Related to #435526 (closed)

Edited by Samantha Ming

Merge request reports