Spike: On the MR details page, the endpoint to get vulnerability report diff data is returning cached feedback data, which can become out-of-date
On the MR details page, there's a MR security widget:
![]() |
For each report type in the widget, a request is made to http://${group}/${project}/-/merge_requests/${id}/${report_type}_reports
:
![]() |
For each vulnerability, the user can do one of the following, which will create a feedback object of the appropriate type:
- Dismiss or un-dismiss the vulnerability (dismissal feedback)
- Add, edit, or delete a dismissal comment (dismissal feedback)
- Create an issue for the vulnerability (issue feedback)
- Create a MR for the vulnerability (merge request feedback)
The feedback object is included in the report diff data:
![]() |
However, when the feedback object is changed and the report diff data is refetched, it will not return the expected feedback objects. It looks like the data is being cached, and will update only after an unspecified amount of time. We need to keep it in sync with any feedback changes.
Feedback objects not updating properly
To test locally using the UI, use the 368712-remove-unnecessary-vulnerability-feedback-call-partial
branch. Otherwise, on production you will need to look at the raw data coming back from the report diff endpoint.