Create a merge request from a vulnerability solution (#9224) · Issues · GitLab.org / GitLab Enterprise Edition

Create a merge request from a vulnerability solution

Problem to solve

GitLab is able to suggest solutions for security vulnerabilities as part of the details info.
In some cases, it is also possible to get a patch that can be applied to the codebase to fix the problem.

At the moment, users have to download the patch, apply to the local repository, and then push changes back to the remote repository.

This process should be automated.

Target audience

Sasha, Software Developer
Sam, Security Analyst

Further details

Users should still be able to download the patch, since they may want to look at changes before committing into the codebase. We can allow to choose what they want to do via a dropdown button or another similar way.

Proposal

Add a button to automatically create a merge request with the proposed changes.
This should be available in every place where the patch could be downloaded.

Once the button is pressed, the following actions are executed:

a new branch is created
the patch is committed in the new branch
a new merge request is created, with the new branch as the source, and the branch where the security reports belongs as the target

We can also consider to commit the changes and then open the merge request creation page, where users can manually confirm it. This is the same flow we have when changing a file via the UI.

frontend: change the Create issue button in the vulnerability details window into a button dropdown, with Create a merge request (default) and Create issue as possible actions
backend: create a new branch, commit the patch, create (open create page?) a new MR
frontend/backend: usage ping (via snowplow on the button - or via backend when receiving the request)

We should take a look at the Web IDE and figure out if there is something we can reuse.

TODO: The initial backend implementation done with !9326 covers creation of the merge request targeting the repository's default branch. A follow-up MR is needed to add the more complex logic for changing the target branch to the originating branch of the vulnerability occurrence.

Design

Create MR button selected	Create issue button selected

Initial list state	Hover state - over create issue	Hover state - over create MR

Design Specs:

See design specs here

MR Template

MR Template
MR Title: "Fix vulnerability:[vulnerability name]"
MR Description: Same as issue descriptions created from vulnerabilities.

What does success look like, and how can we measure that?

Number of merge requests created using this feature.

### Problem to solve

GitLab is able to suggest solutions for security vulnerabilities as part of the details info.  
In some cases, it is also possible to get a patch that can be applied to the codebase to fix the problem.

At the moment, users have to download the patch, apply to the local repository, and then push changes back to the remote repository.

This process should be automated.

### Target audience

- [Sasha](https://design.gitlab.com/research/personas#persona-sasha), Software Developer
- [Sam](https://design.gitlab.com/research/personas#persona-sam), Security Analyst

### Further details

### Proposal

Add a button to automatically create a merge request with the proposed changes.  
This should be available in every place where the patch could be downloaded.

Once the button is pressed, the following actions are executed:
1. a new branch is created
1. the patch is committed in the new branch
1. a new merge request is created, with the new branch as the source, and the branch where the security reports belongs as the target

We can also consider to commit the changes and then open the merge request creation page, where users can manually confirm it. This is the same flow we have when changing a file via the UI.

1. ~frontend: change the **Create issue** button in the vulnerability details window into a button dropdown, with **Create a merge request** (default) and **Create issue** as possible actions
1. ~backend: create a new branch, commit the patch, create (open create page?) a new MR
1. ~frontend/~backend: usage ping (via snowplow on the button - or via backend when receiving the request)

We should take a look at the Web IDE and figure out if there is something we can reuse.

- [ ] *TODO:* The initial backend implementation done with https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/9326 covers creation of the merge request targeting the repository's default branch. A follow-up MR is needed to add the more complex logic for changing the target branch to the originating branch of the vulnerability occurrence.

### Design

| Create MR button selected | Create issue button selected|
| ------ | ------ |
| ![create-MR](/uploads/2542dfbaf5e1dffbdfcdd98bf45117db/create-MR.png) | ![create-issue](/uploads/672e65c94fd86fee5b1f1b2cc505a3d4/create-issue.png) |

| Initial list state | Hover state - over create issue | Hover state - over create MR  | 
| ------ | ------ | ------ | 
| ![create-MR-with-action-list](/uploads/34942dc5b6ab80903951c9f479f1729b/create-MR-with-action-list.png) | ![create-MR-with-action-list-hover](/uploads/cbab0605f3c85841117cdcc8eed81a4d/create-MR-with-action-list-hover.png) | ![create-issue-with-list-hover](/uploads/62703500fc35e707974d39a502f3afbf/create-issue-with-list-hover.png) |

##### Design Specs: 
[See design specs here](https://gitlab-org.gitlab.io/gitlab-design/hosted/andy/ee%239224-create-mr-from-vulnerability-solution-spec-previews/)

##### MR Template

| MR Template | 
| ------ | 
| MR Title: "Fix vulnerability:[vulnerability name]" |
| MR Description: Same as [issue descriptions](https://gitlab.com/gitlab-org/gitlab-ee/blob/master/ee/app/views/vulnerabilities/issue_description.md.erb) created from vulnerabilities. |

### What does success look like, and how can we measure that?