Sort security content by cvss score, but make issues where CVE exists higher than those where it doesn't
Overview
We currently sort issues in the security blog post by cvss_base_score: https://gitlab.com/gitlab-org/release-tools/-/blob/d87204ff8b905ab211c9b98bb589f4764352f362/lib/release_tools/patch_release/blog_merge_request.rb#L94
If for some reason there is no cves_issue
, we simply assign 0
as the score so it ends up at the bottom. We had a situation where an issue was assigned a CVE, but had a real score of 0.0
, so it ended up in the middle of the issues that had no CVE since the 0
issues had no guaranteed order.
We'd like the issue with the real 0.0
score to show up as higher than the ones with no CVE issue. The simplest way to do this is to just update so we assign a negative number when there is no cve:
def sorted_security_content
security_content
.sort_by { |issue| issue.cves_issue&.cvss_base_score || -1 }
.reverse
end
References
This issue is a followup to direct feedback in https://gitlab.com/gitlab-com/gl-infra/delivery/-/issues/19739#note_1617355859