Loading error in MR when security scan not configured in target branch
Summary
In the merge request page, the Security widget shows a loading error when a security report is missing (for the source branch), even if it's also missing for the target branch because the corresponding scan is NOT configured in any of these branches. The errors when loading results message is misleading, because there's nothing to load. Actually, there's probably no need to warn the contributor submitting a MR since the scan (like SAST) is not configured in the target branch.
If the target branch is the default branch (like master), then the maintainers should be the ones notified about the scans not being configured, not the contributors submitting MRs.
Steps to reproduce
- create a project where Dependency Scanning is configured, but SAST is not
- create a dummy MR for this project, where the CI configuration is unchanged
- inspect the Security widget, in the MR page
Example Project
gitlab-org/security-products/tests/java-maven!41 (closed)
What is the current bug behavior?
The expanded Security widget shows SAST: Loading resulted in an error:
Security scanning (errors when loading results) detected no vulnerabilities for the source branch only
SAST: Loading resulted in an error
Dependency scanning detected no new vulnerabilities
Container scanning detected no new vulnerabilities
DAST: Loading resulted in an errorWhat is the expected correct behavior?
Since is SAST scanning is not configured in the master branch (target branch for the MR), there should be NO loading error for SAST.
If SAST was configured in the target branch, then there should be a configuration error instead.
Relevant logs and/or screenshots
Possible fixes
In a first iteration, don't report an error if the missing security report is also missing the target branch.
Then, if/when technically possible, distinguish b/w misconfiguration error (no scanning job) and loading error (scanning job generates no report).