Create `Mutations::SecurityFinding::CreateIssue`

Why are we doing this work?

We want to be able to create Issue objects directly from Security::Findings. At the same time we want to deprecate Vulnerabilities::Feedback objects.

To do this easily, we want to introduce Mutations::SecurityFinding::CreateIssue GraphQL mutation and Vulnerabilities::SecurityFinding::CreateIssue service object.

Implementation plan

  1. backend Create Vulnerabilities::SecurityFinding::CreateIssue
  2. backend Create Mutations::SecurityFinding::CreateIssue

Vulnerabilities::SecurityFindings::CreateIssue

High level overview:

  1. Look for given Security::Finding
  2. "Promote" - Security::Finding to Vulnerabilities::Finding
  3. Create a Vulnerability for a given Vulnerabilities::Finding if it doesn't exist
  4. Create an Issue for that Vulnerability
  5. Create an Vulnerabilities::IssueLink for that (vulnerability_id, issue_id) pair

We should use state of deprecate_vulnerabilities_feedback feature flag to determine the correct way to do this. The differences are outlined below.

deprecate_vulnerabilities_feedback is enabled

In this branch we would skip creating Vulnerabilities::Feedback objects

  1. See if the Vulnerabilities::Finding has a vulnerability_id
  2. It not then create it using Vulnerabilities::CreateService (ee/app/services/vulnerabilities/create_service.rb)
  3. Use the vulnerability_id to create an Issue via Issues::CreateFromVulnerabilityDataService (ee/app/services/issues/create_from_vulnerability_data_service.rb)
  4. Make sure to create Vulnerabilities::IssueLink object with the vulnerability_id and issue_id

I think steps 2 - 4 could be wrapped in a Vulnerabilites::CreateFromFindingService which we could reuse later on.

deprecate_vulnerabilities_feedback is disabled

In this branch we would just:

  1. Use VulnerabilityFeedback::CreateService to create a Vulnerabilities::Feedback object and Issue for it. See Vulnerabilities::Feedback#create_issue method

Finding is not found

This shouldn't happen, but in this case we should just error out

Mutations::SecurityFindings::CreateIssue

  1. Accepts security_finding_id
  2. Calls Vulnerabilities::SecurityFinding::CreateIssue
  3. Returns the created Issue
Edited by Subashis Chakraborty