Hide Resolve with merge request action for newly introduced findings
Problem to solve
From @nmccorrison:
Some context: Newly introduced findings are specific to the MR, and therefore "resolve with MR" will target the MR's branch.
Conceptually this makes sense, as applying an available fix should save time. However, this creates a new, separate merge request (and therefore a new, separate branch), this creates a complicated workflow requiring the fix-MR to target the original MR's branch.
This diagram shows the developer's MR workflow, and the separate workflow created if the user uses the "resolve with MR" on a new/added finding:
graph LR
Branch1[Original MR Branch] --> Master
MR1[Original MR] -->Branch1
Branch2[Resolve with MR Branch] -.-> Branch1
MR2[Resolve with MR] -.-> Branch2
MR1 -.-> MR2
I wonder if we should instead only offer the Download Patch option from within a finding (more info on downloading a patch is in the original implementation issue)
Proposal
Do not show the "Resolve with merge request" button (or option in dropdown if the split button is used) in the standalone vulnerability finding modal when we're dealing with a newly introduced finding. Do still show the "Download patch" button (or option) though.
Implementation steps
- Add
presentOnDefaultBranch
on the vulnerability entity
- Update
security_report_finding.query.graphql
so it includespresentOnDefaultBranch
on thevulnerability
- Only show "Resolve with merge request" button if
this.vulnerability?.presentOnDefaultBranch
istrue
- Update specs
Verification steps
1. Newly introduced finding without an attached vulnerability
- go to https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/verificaton-for-428890/-/merge_requests/1
- in the merge request expand the security reports mr widget
- click on the critical finding
- verify that in action dropdown button there is no option to "Resolve with merge request"
2. Newly introduced finding with an attached vulnerability
- in that same finding modal, create an issue, by clicking "Create issue" in that dropdown button
- it will redirect you to the issue, go back and open the same finding in the modal again on the MR
- verify that in action dropdown button there is only the option to "Download patch to resolve"
3. Finding which has made its way onto the default branch, i.e. vulnerability.presentOnDefaultBranch
is true
- merge the MR
- go to the pipelines page and open the latest pipeline > security tab
- click on the same critical finding to open its modal
- now in the dropdown button there is the option to "Resolve with merge request"