Skip to content

Provide instructions for expired results in finding modal

Lorenz van Herwaarden requested to merge help-message-no-finding into master

What does this MR do and why?

During the rollout of the standalone_finding_modal_merge_request_widget feature flag, I noticed a bug which affects the new finding modal in context of the "MR security widget" when the pipeline has expired.

Summary of bug

for older MRs where the pipeline has expired there is a discrepancy. Findings are still shown in the "MR security widget" because they use the report artifacts while GraphQL API (that the new modal uses) uses the database records. The finding will not exist anymore in the database records due to the retention policy, but the report artifacts still exist. Therefore, the finding is still shown in the "MR security widget" but when opening the new modal after clicking the finding, an error message is shown, because the finding is not found with the GraphQL API. The old modal did work because it's not using the GraphQL API.

Once Use security_findings for security MR widget re... (#390185) • Michael Becker • 17.3 • At risk is implemented, this discrepancy will be resolved and we can remove this specific warning alert.

Example error

Visit https://staging.gitlab.com/govern-team-test/vulnerabilities-feedback-tests/security-reports/-/merge_requests/3 (the feature flag is enabled only on staging) and expand MR Security widget and select one of the findings. You can see the new modal shows the error. You might also see a console error, this is semi-related but happening in mr_widget_security_reports.vue. It's also related to the fact that no finding is found. I'll look into that in a follow-up.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
before after

How to set up and validate locally

Prerequisites

  1. You need an EE license
  2. You need to have runners enabled (See $2408961 for setting up a runner)

Validate

  1. Enable feature flag: echo "Feature.enable(:standalone_finding_modal_merge_request_widget)" | gdk rails c
  2. Import https://gitlab.com/gitlab-examples/security/security-reports (even if you already have one, import a new one)
  3. Do not run pipeline on master yet
  4. In .gitlab-ci.yml file comment out lines 3 and 4 so Dependency-Scanning does not run. Commit change to main directly without MR.
  5. Wait until the pipeline is finished
  6. In .gitlab-ci.yml file uncomment lines 3 and 4. Commit to a new branch and open an MR.
  7. In the MR, expand the "MR security widget".
  8. Select a finding.
  9. I haven't succeeded in properly expiring the pipeline report (while still allowing the report artifacts to exist), so I suggest mocking the response of a null finding
  10. In Vue devtools, find the StandaloneFindingModal component. Look for the finding data and edit and set to null.
  11. Validate that the new "no finding" warning alert is shown and no footer action buttons are shown.
Edited by Lorenz van Herwaarden

Merge request reports