[SPIKE] Add ability to filter vulnerability where VR is enabled
Use case:
I was trying to test VR on some projects And I wanted to filter the vulnerability report and see only the findings for which Vulnerability Resolution is enabled. It looks like we currently have no easy way to do it. I believe that customers would like to do this kind of filtering and prioritize fixing findings that can be fixed automatically.
Possible implementation:
We can add a new activity filter: https://docs.gitlab.com/ee/user/application_security/vulnerability_report/index.html#activity-filter. Something like "Has resolve with AI".
MVC
- Filtering and activity icon for Vulnerability Resolution only
- MVC Design: #477284[design_1724977457515.png]
![#477284[design_1724977457515.png]](https://gitlab.com/gitlab-org/gitlab/-/issues/477284/designs/design_1724977457515.png){kind=link}
Implementation Plan
-
Add has_vulnerability_resolutioncolumn tovulnerability_readstable | ~ 2 days -
New indices for project and group level queries | ~ 1 week, this requires migration -
Backfill migration, inserting TRUE for vulnerabilities that are included in the CWE allowlist (could take 2+weeks) Note: Just to keep in mind for estimation, we had to requeue the backfill migrations couple of times in some cases. | ~ 3 weeks, may or may not take long depending on whether it requires rerunning or not -
Fix the has_vulnerability_resolutioningestion logic for vulnerability_reads (example: #429361 (closed)) | < week -
Set/Unset has_vulnerability_resolutionin VulnerabilityReads (example: !129125 (merged)) | < 1 week -
Expose new has_vulnerability_resolutionfield in the vulnerability report API and change the read finder logic | < 1 week
-
Add "has_ai_resolution" filter to Vulnerability Report & Count -
Add "ai ability" to display filter options -
Add "ai resolution" badge & tooltip to Vulnerability Report
-
Update activity filter docs for VR (example: !136258 (diffs))
Future considerations
- A migration anytime the CWE list is changed
Edited by Becka Lippert