Skip to content

Create a merge request from a vulnerability solution

Problem to solve

GitLab is able to suggest solutions for security vulnerabilities as part of the details info.
In some cases, it is also possible to get a patch that can be applied to the codebase to fix the problem.

At the moment, users have to download the patch, apply to the local repository, and then push changes back to the remote repository.

This process should be automated.

Target audience

  • Sasha, Software Developer
  • Sam, Security Analyst

Further details

Users should still be able to download the patch, since they may want to look at changes before committing into the codebase. We can allow to choose what they want to do via a dropdown button or another similar way.

Proposal

Add a button to automatically create a merge request with the proposed changes.
This should be available in every place where the patch could be downloaded.

Once the button is pressed, the following actions are executed:

  1. a new branch is created
  2. the patch is committed in the new branch
  3. a new merge request is created, with the new branch as the source, and the branch where the security reports belongs as the target

We can also consider to commit the changes and then open the merge request creation page, where users can manually confirm it. This is the same flow we have when changing a file via the UI.

  1. frontend: change the Create issue button in the vulnerability details window into a button dropdown, with Create a merge request (default) and Create issue as possible actions
  2. backend: create a new branch, commit the patch, create (open create page?) a new MR
  3. frontend/backend: usage ping (via snowplow on the button - or via backend when receiving the request)

We should take a look at the Web IDE and figure out if there is something we can reuse.

  • TODO: The initial backend implementation done with https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/9326 covers creation of the merge request targeting the repository's default branch. A follow-up MR is needed to add the more complex logic for changing the target branch to the originating branch of the vulnerability occurrence.

Design

Create MR button selected Create issue button selected
create-MR create-issue
Initial list state Hover state - over create issue Hover state - over create MR
create-MR-with-action-list create-MR-with-action-list-hover create-issue-with-list-hover

Cases

Issue has been created from this vuln MR has been created from this vuln both MR and Issue have been created from this vuln
Issue-created MR-created mr-and-issue-created
Design Specs:

See design specs here

MR Template
MR Template
MR Title: "Fix vulnerability:[vulnerability name]"
MR Description: Same as issue descriptions created from vulnerabilities.

What does success look like, and how can we measure that?

Number of merge requests created using this feature.

Edited by Lucas Charles