Include Noteable concern in Vulnerabilities::StateTransition
Proposal
I propose we include Noteable
in Vulnerabilities::StateTransition
model.
Rationale
Right now - what happens when you comment on a state transition (do not confuse with StateTransition
model) depends on how you do it which is... inconsistent and problematic.
Vulnerability report
Via - Go to
Vulnerability report
- Select a Vulnerability
- Dismiss it
- Put a comment under the status change
Result: A DiscussionNote
gets created
Security
tab of the pipeline status
Via - Go to
CI/CD -> Pipelines
- Select a pipeline
- Go to
Security
tab - Select a Vulnerability and dismiss it with a comment
- Put a comment under the status change
Result: only a Vulnerabilities::Feedback
gets created
Problems
- In the first scenario, we actually create a
DiscussionNote
on theVulnerability
itself, not on theVulnerabilties::Feedback
so it's not obvious where does it come from. - In the second scenario, if you modify the comment, the
Vulnerabilities::Feedback
gets updates in place which means we lost the previous comment and it's author. - You can't add more than one comment on a state transition which is... less than ideal I think
Solution
I think including Noteable
in Vulnerabilities::StateTransition
is a good idea. It will allow us to build the following system:
- All
Vulnerabilities::StateTransition
records can be treated as immutable - We can build a robust audit trail for a
Vulnerability
sinceVulnerabilities::StateTransition
can't be modified - You can put as many
Note
on everyVulnerabilities::StateTransition
as you want so users can "discuss" any givenVulnerabilities::StateTransition
without modifying the actual record - We can generate audit trails that either show or don't show the additional
Note