Fix rendering vulnerability markdown description

Changelog: fixed
EE: true

ee/app/graphql/types/vulnerability_type.rb

@@ -147,6 +147,10 @@ module Types
       object.description || object.finding_description
     end
 
+    def description_html_resolver
+      ::MarkupHelper.markdown(description, context.to_h.dup)
+    end
+
     def project
       Gitlab::Graphql::Loaders::BatchModelLoader.new(Project, object.project_id).find
     end

ee/app/helpers/vulnerabilities_helper.rb

@@ -73,7 +73,7 @@ module VulnerabilitiesHelper
   def vulnerability_finding_data(vulnerability)
     data = Vulnerabilities::FindingSerializer.new(current_user: current_user).represent(vulnerability.finding, only: FINDING_FIELDS)
     data[:location].merge!('blob_path' => vulnerability.blob_path).compact!
-    data[:description_html] = markdown_field(vulnerability, :description)
+    data[:description_html] = markdown(vulnerability.present.description)
     data
   end
 

ee/app/models/ee/vulnerability.rb

@@ -129,7 +129,7 @@ module EE
         joins(:findings).merge(Vulnerabilities::Finding.by_location_cluster_agent(agent_ids))
       end
 
-      delegate :scanner_name, :scanner_external_id, :scanner_id, :metadata, :message, :description, :details, :uuid,
+      delegate :scanner_name, :scanner_external_id, :scanner_id, :metadata, :message, :description, :description_html, :details, :uuid,
                to: :finding, prefix: true, allow_nil: true
 
       delegate :default_branch, :name, to: :project, prefix: true, allow_nil: true

ee/spec/helpers/vulnerabilities_helper_spec.rb

@@ -352,6 +352,34 @@ RSpec.describe VulnerabilitiesHelper do
         expect(dismissal_feedback[:comment_details][:comment]).to eq(feedback.comment)
       end
     end
+
+    context 'with markdown field for description' do
+      context 'when vulnerability has no description and finding has description' do
+        before do
+          vulnerability.description = nil
+          vulnerability.finding.description = '# Finding'
+        end
+
+        it 'returns finding information' do
+          rendered_markdown = '<h1 data-sourcepos="1:1-1:9" dir="auto">&#x000A;<a id="user-content-finding" class="anchor" href="#finding" aria-hidden="true"></a>Finding</h1>'
+
+          expect(subject[:description_html]).to eq(rendered_markdown)
+        end
+      end
+
+      context 'when vulnerability has description and finding has description' do
+        before do
+          vulnerability.description = '# Vulnerability'
+          vulnerability.finding.description = '# Finding'
+        end
+
+        it 'returns finding information' do
+          rendered_markdown = '<h1 data-sourcepos="1:1-1:15" dir="auto">&#x000A;<a id="user-content-vulnerability" class="anchor" href="#vulnerability" aria-hidden="true"></a>Vulnerability</h1>'
+
+          expect(subject[:description_html]).to eq(rendered_markdown)
+        end
+      end
+    end
   end
 
   describe '#vulnerability_scan_data?' do

ee/spec/models/ee/vulnerability_spec.rb

@@ -710,6 +710,8 @@ RSpec.describe Vulnerability do
 
   describe 'delegations' do
     it { is_expected.to delegate_method(:scanner_name).to(:finding).with_prefix.allow_nil }
+    it { is_expected.to delegate_method(:description).to(:finding).with_prefix.allow_nil }
+    it { is_expected.to delegate_method(:description_html).to(:finding).with_prefix.allow_nil }
     it { is_expected.to delegate_method(:metadata).to(:finding).with_prefix.allow_nil }
     it { is_expected.to delegate_method(:message).to(:finding).with_prefix.allow_nil }
     it { is_expected.to delegate_method(:cve_value).to(:finding).allow_nil }

ee/spec/requests/api/graphql/vulnerabilities/description_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Query.vulnerabilities.description' do
+  include GraphqlHelpers
+
+  let_it_be(:project) { create(:project) }
+  let_it_be(:user) { create(:user, security_dashboard_projects: [project]) }
+
+  let_it_be(:fields) do
+    <<~QUERY
+      description
+      descriptionHtml
+    QUERY
+  end
+
+  let_it_be(:query) do
+    graphql_query_for('vulnerabilities', {}, query_graphql_field('nodes', {}, fields))
+  end
+
+  let(:vulnerability_description) { nil }
+  let(:finding_description) { nil }
+
+  let!(:vulnerability) { create(:vulnerability, description: vulnerability_description, project: project, report_type: :container_scanning) }
+
+  let!(:finding) do
+    create(
+      :vulnerabilities_finding,
+      description: finding_description,
+      vulnerability: vulnerability
+    )
+  end
+
+  subject { graphql_data.dig('vulnerabilities', 'nodes') }
+
+  before do
+    project.add_developer(user)
+    stub_licensed_features(security_dashboard: true)
+
+    post_graphql(query, current_user: user)
+  end
+
+  context 'when vulnerability has no description and finding has description' do
+    let(:vulnerability_description) { nil }
+    let(:finding_description) { '# Finding' }
+
+    it 'returns finding information' do
+      rendered_markdown = '<h1 data-sourcepos="1:1-1:9" dir="auto">&#x000A;<a id="user-content-finding" class="anchor" href="#finding" aria-hidden="true"></a>Finding</h1>'
+
+      expect(subject.first['description']).to eq('# Finding')
+      expect(subject.first['descriptionHtml']).to eq(rendered_markdown)
+    end
+  end
+
+  context 'when vulnerability has description and finding has description' do
+    let(:vulnerability_description) { '# Vulnerability' }
+    let(:finding_description) { '# Finding' }
+
+    it 'returns finding information' do
+      rendered_markdown = '<h1 data-sourcepos="1:1-1:15" dir="auto">&#x000A;<a id="user-content-vulnerability" class="anchor" href="#vulnerability" aria-hidden="true"></a>Vulnerability</h1>'
+
+      expect(subject.first['description']).to eq('# Vulnerability')
+      expect(subject.first['descriptionHtml']).to eq(rendered_markdown)
+    end
+  end
+end