[go: up one dir, main page]
Skip to content

'Create Jira Issue' button in Merge Request widget doesn't work reliably

Summary

When security scanning features like SAST, Dependency Scanning, Secret Detection, etc. are enabled on a project, and new findings are detected in a merge request pipeline, the findings are listed in the merge request under Security scanning detected X new potential vulnerabilities:

Screenshot_2024-02-14_at_12.46.39_PM

If you have the Jira issue integration enabled, you'll see a Create Jira issue button when you click on one of the findings:

Screenshot_2024-02-14_at_12.47.38_PM

This button is supposed to create a jira issue by triggering the vulnerabilityExternalIssueLinkCreate GraphQL mutation and then open a new window in your browser that takes you to a new Jira issue in your linked Jira project, populated with information about the new vulnerability.

Sometimes when clicking the button, nothing happens.

This is the case when the finding is newly discovered and has no attached vulnerability yet, meaning it hasn't made its way to the default branch yet. This is often the case on the MR page.

Cause

When clicking the button, we try to get the vulnerabilityId to use this as a variable in the vulnerabilityExternalIssueLinkCreate GraphQL mutation (see vulnerability_finding_modal.vue#L464). Because there is no related vulnerability, there is no vulnerabilityId and we do a quick return, so nothing happens.

Steps to reproduce

Details
  1. Create a project on GitLab.com in a group with an Ultimate subscription
  2. Follow the documentation to enable Jira issue integration on the new project
  3. Add the .gitlab-ci.yml file shown below to the main branch
  4. Create branch-b in the UI
  5. Create an empty merge request with branch-b as the source branch and main as the target branch
  6. Add the following files on branch-b:
  7. In the merge request, select the dropdown for Security scanning detected 6 new potential vulnerabilities and select one of the vulnerabilities
  8. Try to click the Create Jira issue button.

.gitlab-ci.yml:

stages:
- test

include:
- template: Jobs/SAST.latest.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Jobs/Secret-Detection.latest.gitlab-ci.yml

sast:
  stage: test

# override the dependency scanning job
gemnasium-dependency_scanning:
  tags: [ saas-linux-large-amd64 ]
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
    - if: $CI_MERGE_REQUEST_IID

secret_detection:
  variables:
    SECRET_DETECTION_HISTORIC_SCAN: "true"

Example Project

https://gitlab.com/jgaughan_ultimate_group/zd-500218-create-jira-issue-button-4/-/merge_requests/1

What is the current bug behavior?

The Create Jira issue button in the merge request vulnerabilities widget doesn't reliably link to a new Jira issue as expected.

What is the expected correct behavior?

The button works reliably.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Possible fixes

backend

Similar to when we dismiss or create a GitLab issue for a finding, if a related vulnerability does not exist yet, we need to create one on the fly.

E.g.: The SecurityFindingCreateIssue mutation uses the Vulnerabilities::SecurityFinding::CreateIssueService service which in turn uses Vulnerabilities::FindOrCreateFromSecurityFindingService service.

We need a mutation (e.g. FindingExternalIssueLinkCreate) which is similar to the mutation VulnerabilityExternalIssueLinkCreate but instead accepts the ID of a SecurityFinding. It will then either find the related vulnerability or create one, after which it can finally create the external issue as is done now for the vulnerability. This way, the frontend can simply use the ID of the newly identified finding to create a jira issue in the finding modal.

see Create a GraphQL mutation to create Jira issues... (#452002 - closed)

frontend

  1. in vulnerability_finding_modal.vue, make use of the new graphql mutation and pass the ID of the finding instead of the vulnerabilityId
  2. Update specs accordingly

Verification steps

  1. Go to https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/create-jira-issue-from-finding/-/merge_requests/2 – the feature flag is enabled for this project and the MR contains findings without linked vulnerabilities
  2. Make sure to enable "Preserve log" in network tab on devtools. Click on the first security finding and click "Create Jira issue".
  3. Verify it uses the "securityFindingExternalIssueLinkCreate" mutation
  4. Verify it redirects to the created Jira issue. Note: in some cases, this can take more than a minute, see Getting new jira external issue takes more than... (#568900) • Unassigned • Next 1-3 releases
Edited by Lorenz van Herwaarden