Skip to content

Create `Vulnerability` when interacting with a `Security::Finding` (part 1)

Why are we doing this work?

After #324857 (closed) is merged we should make sure to create a new Vulnerability when a user interacts with an unpersisted Finding (ie. goes to MR Security widget, clicks on a found Vulnerability and takes an action on it).

Implementation plan

  • backend Update service classes ee/app/services/vulnerabilities /{resolve,dismiss,revert_to_detected,confirm}_service.rb to work on Vulnerabilities
  • backend Add state transition entry for each service

The following point is moved to #368311 (closed)

  • backend Modify Projects::VulnerabilityFeedbackController to create Vulnerability on the fly for a given Finding and use the updated service classes to change it's state
    • This will not create a new feedback object, but only create a vulnerability.
    • We will need to set the present_on_default_branch to false for these new vulnerabilities

Possible follow up items

  • Currently our flow for creating issues is different when creating an Issue for a Vulnerability and when creating an Issue for a Vulnerabilities::Finding. The former takes you to the Create issue view with the Issue details populated so you can edit it before saving. The latter directly creates the issue without giving the user opportunity to edit the issue.

Testing

  • Since this is a significant backend refactor, check if existing E2E tests are broken by running Package and QA and checking Secure results just before maintainer review

Verification steps

  1. Create a new project under https://gitlab.com/gitlab-org/secure/tests
  2. Enable feature flag for that project As we removed the FF dependency from these services
  3. Go to pipeline security tab/vulnerability report page
  4. Do the interactions (resolve, dismiss, revert_to_detected, confirm) with finding/vulnerability
  5. Make sure nothing is broken and we are creating feedback entires in db for these interactions
  6. Also check whether we are creating state transition entires for each of the interaction in db
Edited by Subashis Chakraborty