Patrick He (0827c78f) at 30 Jul 17:47

@nmccorrison @rlehmann1 @subashis Subashis let me know that he's away this week, but could I get a review on this MR?

I've tested the changes locally and included the response to the archival export query in the MR.

• Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.

What does this MR do and why?

This MR includes the vulnerability id in the archival vulnerability report csv file to be exported.

This is done by including the Vulnerability ID field in the csv_service mapping.

References

Screenshots or screen recordings

Query the archival exports:

gitlab % curl -X POST "http://127.0.0.1:3000/api/v4/security/projects/2/vulnerability_archive_exports" \
   -H "Content-Type: application/json" \
   -H "Private-Token: glpat-xxx" \
   -d '{
     "start_date": "2025-07-01", 
     "end_date": "2025-07-01",
     "export_format": "csv"
   }'

Response:

Tool,Scanner Name,Status,Vulnerability,Details,Severity,CVE,CWE,Other Identifiers,Dismissed At,Dismissed By,Confirmed At,Confirmed By,Resolved At,Resolved By,Detected At,Location,Issues,Merge Requests,Activity,Comments,Full Path,CVSS Vectors,Dismissal Reason,Vulnerability ID
generic,Test Scanner,confirmed,test,testDescription,high,CVE-2025-6982,CWE-676,TEST-697,,,,,,,2025-03-12T13:25:01Z,"{""file""=>""test/example.rb"", ""class""=>""com.gitlab.security_products.tests.App"", ""method""=>""testMethod"", ""end_line""=>124, ""start_line""=>32}",,,false,Test vulnerability for export testing,gitlab-org/gitlab-test/test/example.rb,GitLab=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N,,541
sast,Test Scanner,confirmed,ECB mode is insecure,Description for vulnerability 545,medium,CVE-2025-2759,CWE-986,TEST-913,,,,,,,2025-03-13T14:34:57Z,"{""file""=>""test/example.rb"", ""class""=>""com.gitlab.security_products.tests.App"", ""method""=>""testMethod"", ""end_line""=>187, ""start_line""=>65}",,,false,Test vulnerability for export testing,gitlab-org/gitlab-test/test/example.rb,GitLab=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N,,545
sast,Test Scanner,confirmed,ECB mode is insecure,Description for vulnerability 546,medium,CVE-2025-3283,CWE-826,TEST-386,,,,,,,2025-03-13T14:34:57Z,"{""file""=>""test/example.rb"", ""class""=>""com.gitlab.security_products.tests.App"", ""method""=>""testMethod"", ""end_line""=>135, ""start_line""=>69}",,,false,Test vulnerability for export testing,gitlab-org/gitlab-test/test/example.rb,GitLab=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N,,546
generic,Test Scanner,confirmed,testtest,testing,critical,CVE-2025-2965,CWE-755,TEST-166,,,,,,,2025-04-07T19:18:40Z,"{""file""=>""test/example.rb"", ""class""=>""com.gitlab.security_products.tests.App"", ""method""=>""testMethod"", ""end_line""=>130, ""start_line""=>96}",,,false,Test vulnerability for export testing,gitlab-org/gitlab-test/test/example.rb,GitLab=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N,,547

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #18033

Patrick He (6d4c8df2) at 23 Jul 02:27

@nmccorrison Thanks for offering, but I don't think I have the permissions to do so 😅

@nmccorrison @subashis @minac Sounds good, I reverted some changes so the functionality is only for the main export. Tested it locally and it is working as expected.

Patrick He (60d51126) at 11 Jul 17:18

... and 2 more commits

If you are not making any change in the file it usually does not check for the formatting.

I added the vulnerability_id field.

@subashis Implemented those changes.

Also, I added the formatting change in ee/app/validators/json_schemas/archived_record_data.json because it was failing a jsonlint test on push. Was this test added recently?

Patrick He (2802f16c) at 09 Jul 19:51

Patrick He (ad867f95) at 09 Jul 18:38

... and 1 more commit

@subashis I noticed that there's an archival vulnerability export, should I include the vulnerability id for this service as well in this MR?

ee/app/services/vulnerabilities/archival/export/exporters/csv_service.rb

Patrick He (74fc1d67) at 08 Jul 22:36

Patrick He (9562e6ee) at 08 Jul 22:28

@subashis Sounds good, give me a little for the specs, they're turning out more complicated than I thought.

• Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.

What does this MR do and why?

This MR includes the vulnerability id in the vulnerability report csv file to be exported.

This is done by including the vulnerability_id field in the csv_service mapping.

Screenshots or screen recordings

Before

After

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #18033

Patrick He (cfda370c) at 08 Jul 19:20

Patrick He (2080411b) at 05 Jul 14:54

@subashis This error shows up on the console:

Refused to load http://localhost:3000/rails/letter_opener/1751601825_680453_91fc523/rich
because it does not appear in the frame-src directive of the Content Security Policy.

But I am able to open the letter directly through this link 👍

@subashis I can see the emails in the inbox at that link but can't open them.