Support multiple Auto Remediation patches when applying a vulnerability solution
Problem to solve
Vulnerabilities can have many remediations and remediations can have many vulnerabilities, however our current auto remediation feature will apply only the first remediation to a given vulnerability. This should be improved so when multiple patches can be applied in the future we can do so without requiring updates to our backend and frontend code.
This is future-proofing as our existing logic does not produce multiple patches for a given remediation.
Target audience
-
Sasha, Software Developer, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sasha-software-developer
-
Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst
Further details
- Discussion on association vulnerabilities with the first matching remediation: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/9326#note_145441462
- frontend code for selecting first matching remediation: https://gitlab.com/gitlab-org/gitlab-ee/blob/v11.8.0-ee/ee/app/assets/javascripts/vue_shared/security_reports/store/utils.js#L27
Proposal
- update frontend from
find
tofilter
- update backend report parser from
find
toselect
(Gitlab::Ci::Parsers::Security::Common#collate_remediations
) - update backend create MR service to apply all relevant patches, not just first (
EE::MergeRequests::CreateFromVulnerabilityDataService#create_patch
)
What does success look like, and how can we measure that?
If a vulnerability is resolvable via two separate remediation patches, we should apply both to the vulnerability solution.
What is the type of buyer?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.