Vulnerability Management Access Control

For both Vulnerability Explanation and Resolution, we need to ensure the proper access control is implemented. The expected behavior is described in #465772 (comment 1939829093)

Additional Resources

1. Unit Primitive
   • Our feature is only available for Ultimate and only available with a GitLab Duo Enterprise License
   • Stakeholders that may help with this: @nmilojevic1 (IC) and/or @oregand (EM)
2. Primary Feature Toggle - settings to enable the feature
   • Issue (old, might need updating): Vulnerability Explanation - Behind a feature to... (#458970 - closed)
   • Documentation

All MRs

Below is a list of all MR for this issue:

• Use ability check for explain and resolve vuln ... (!157501 - merged)
• Updated access control policy for explain and r... (!156838 - merged)
• Add unit primitive for /vulnerability_explain tool (!157606 - merged)
• https://gitlab.com/gitlab-org/customers-gitlab-com/-/merge_requests/10344+
• Adds resolve_vulnerability as a cloud connector... (!157554 - merged)
• https://gitlab.com/gitlab-org/customers-gitlab-com/-/merge_requests/10308+
• Adds explain_vulnerability as a cloud connector... (!157976 - merged)

Implementation Plan

The lists below associate MRs with the various permission checks. Some MRs cover multiple checks.

Vulnerability Explanation

frontend

• Consolidate all frontend checks behind the explain_vulnerability frontend feature flag in vulnerabilities_controller.rb. (!157501 (merged))

backend

• Consolidate all backend checks in to vulnerability_policy.rb including:
  • The report type is SAST. (!156838 (merged))
  • The user has developer access or above for the project. (!156838 (merged))
  • The project belongs to a group with an Ultimate license. (!156838 (merged))
  • The project belongs to a group with a GitLab Duo Enterprise license using the Unit Primitive pattern. (!157606 (merged) and !157976 (merged))
  • All expected feature flags are enabled. (!156838 (merged))
  • Add a check to ensure the GitLab Duo setting is enabled for the group. (!156838 (merged))
  • Ensure all behavior is covered by automated tests. (!156838 (merged))
• Add Unit Primitive definitions to CustomersDot Cloud Connector configuration. (https://gitlab.com/gitlab-org/customers-gitlab-com/-/merge_requests/10344)

Vulnerability Resolution

frontend

• Consolidate all frontend checks behind the resolve_vulnerability frontend feature flag in vulnerabilities_controller.rb. (!157501 (merged))

backend

• Consolidate all backend checks in to vulnerability_policy.rb including
  • The report type is SAST. (!156838 (merged))
  • The user has developer access or above for the project. (!156838 (merged))
  • The project belongs to a group with an Ultimate license. (!156838 (merged))
  • The project belongs to a group with a GitLab Duo Enterprise license using the Unit Primitive pattern. (!157554 (merged))
  • All expected feature flags are enabled. (!156838 (merged))
  • Add a check to ensure the GitLab Duo setting is enabled for the group. (!156838 (merged))
  • Ensure all behavior is covered by automated tests. (!156838 (merged))
• Add Unit Primitive definitions to CustomersDot Cloud Connector configuration. (https://gitlab.com/gitlab-org/customers-gitlab-com/-/merge_requests/10308)