Transform VR response into MR suggestion

The Resolve Vulnerability with AI feature gets a response from the AI gateway in the form of

<old_code>
...some code...
</old_code>
<new_code>
...some code...
</new_code>

It uses that response, along with the source code of the vulnerability finding to turn that response into a diff that can be used to generate a merge request. This transformation happens here: https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/services/merge_requests/create_from_vulnerability_data_service.rb#L116-120

In order to create an MR suggestion, we will need to transform the LLM response into a formatted suggestion. The diff has all the information necessary to create a suggestion in the MR, so we can perform the transformation on the backend and create a new suggestion in the MR.

Example

Below is a rough example of what the flow would look like from LLM Response to Diff to Suggestion. This MR is a spike on the process !163813 (closed).

LLM Response

<old_code>
get '/file/:filename' do
  filename = params['filename']
  file_path = File.join("./files", filename)

  if File.exist?(file_path) && file_path.start_with?("./files/")
    send_file(file_path)
  else
    halt 404, "File not found"
  end
end
</old_code>
<new_code>
get '/file/:filename' do
  filename = params['filename'].to_s
  sanitized_filename = File.basename(filename)
  file_path = File.expand_path(File.join("./files", sanitized_filename))
  base_path = File.expand_path("./files")

  if File.exist?(file_path) && file_path.start_with?(base_path)
    send_file(file_path, disposition: 'attachment', filename: sanitized_filename)
  else
    halt 404, "File not found"
  end
end
</new_code>

Diff

diff --git a/cwe-23.rb b/cwe-23.rb
--- a/cwe-23.rb
+++ b/cwe-23.rb
@@ -2,9 +2,11 @@
 
 get '/file/:filename' do
-  filename = params['filename']
-  file_path = File.join("./files", filename)
+  filename = params['filename'].to_s
+  sanitized_filename = File.basename(filename)
+  file_path = File.expand_path(File.join("./files", sanitized_filename))
+  base_path = File.expand_path("./files")
 
-  if File.exist?(file_path) && file_path.start_with?("./files/")
-    send_file(file_path)
+  if File.exist?(file_path) && file_path.start_with?(base_path)
+    send_file(file_path, disposition: 'attachment', filename: sanitized_filename)
   else
     halt 404, "File not found"

Suggestion

```suggestion:-0+9
 
get '/file/:filename' do
  filename = params['filename'].to_s
  sanitized_filename = File.basename(filename)
  file_path = File.expand_path(File.join("./files", sanitized_filename))
  base_path = File.expand_path("./files")
 
  if File.exist?(file_path) && file_path.start_with?(base_path)
    send_file(file_path, disposition: 'attachment', filename: sanitized_filename)
  else
    halt 404, "File not found"

Implementation

  1. Transform the LLM response into a formatted suggestion
  2. Add link to VR feedback issue within the suggestion text.
Edited by Neil McCorrison