Skip to content

Simplify can create issue logic in new finding modal

Lorenz van Herwaarden requested to merge use-can-admin-vulnerability-in-new-modal into master

What does this MR do and why?

When using the new pipeline dashboard (pipeline_security_dashboard_graphql is enabled), findings that do not have a related vulnerability (e.g. newly identified findings) do not have the ability to "Create issue". This is because we're not passing the has-create-issue-path prop in mr_widget_security_reports.vue to the modal and this.finding?.vulnerability?.userPermissions?.createVulnerabilityFeedback; is undefined because there is no vulnerability.

Instead of using createVulnerabilityFeedback which is based on the deprecated VulnerabilityFeedback or create_vulnerability_feedback_issue_path, we can simply use can_admin_vulnerability. This was brought to my attention by @mallocke. He's replacing similar createVulnerabilityFeedback... with the can_admin_vulnerability ability in !143462 (closed).

In this MR we're reusing the injected can_admin_vulnerability, but in a next iteration we can look to switching this to the new frontend ability.

On the longer term, it might be desirable to have an ability/permission separate from the can_admin_vulnerability which is more granular in regards to creating an issue. In the context of the modal, this should be on the Finding model because we can't be sure we have a related vulnerability. @subashis is looking into this: Add PipelineSecurityReportingFinding userPermis... (#431569 - closed) • Subashis Chakraborty • 16.10 • On track.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
Screenshot_2024-02-02_at_14.31.21 Screenshot_2024-02-02_at_14.36.16

How to set up and validate locally

Prerequisites

  1. You need an EE license
  2. You need to have runners enabled (See $2408961 for setting up a runner)
  3. Import https://gitlab.com/gitlab-examples/security/security-reports
  4. Run pipeline on master
  5. Enable feature flag: echo "Feature.enable(:pipeline_security_dashboard_graphql)" | gdk rails c
  6. Go to latest pipeline > security tab
  7. Click on a finding
  8. The "Create issue" button should be there
Edited by Lorenz van Herwaarden

Merge request reports