Design: Relate vulnerability <> MR

Problems to solve

Problem 1: No ability to link an MR directly to a vulnerability

With the "Has MR" Activity filter on the Vulnerability Report, we give customers the impression that MRs can be linked to vulnerabilities, but (screenshot 1, below) they only can in particular circumstances where the scanner provides a solution (screenshot 2, below) or our AI feature (Vulnerability Resolution) has created an MR from the vulnerability.

Not being able to link vulnerabilities to MRs is a problem, considering that someone looking at the vulnerability may not know that there's currently a fix in progress in a related MR. Additionally, we don't have commenting (only commenting on a status change), so users can't even add an MR link in a comment.

This only exacerbates the bigger problem we have of not having vulnerabilities as first-class objects, so the current workflow for vulnerability collaboration and remediation is often: vulnerability -> create a related issue -> create an MR. Even if the related issue links to the MR, the user still has to go to the vulnerability's related issue to find a link to it.

(1) (2)
Screenshot 2024-11-11 at 11.34.04 PM.png image.png
Problem 2: When using Vulnerability Resolution (the AI feature), only the latest MR shows, even though more than 1 MR has been created.

Example:

  • In this test vulnerability, I created an MR using VR.

  • I then used MR again using VR.

  • You can see only 1 MR is captured in the vulnerability detail page (note that the MR is !9:

    Screenshot 2025-06-17 at 4.11.36 PM.png

    and from the MR badge in the Vulnerability Report view (note that the MR here is !8 , even though if you click on the vulnerability, it only shows !9 as noted above):

    Screenshot 2025-06-17 at 4.16.15 PM.png

  • You can see from the Merge Requests page that there are 2 separate MRs opened from the same vuln, but we're referencing only 1 MR from the Vuln Report view and 1 from the vulnerability detail page (and they're not even the same one, I don't know why)

    Screenshot 2025-06-17 at 4.18.34 PM.png

Proposal

To address Problem 1:

  • Add ability to relate MRs with vulnerabilities. Specifically:
    • Create an MR from a vulnerability (and provide the link to/ from each source).
    • Relate an existing MR to a vulnerability.
    • The MR link (and it's status) should be visible from the Vulnerability Report (through the Has MR activity filter) and on the vulnerability detail page.

To address Problem 2:

  • Expand the Related issues container to include related items, including all associated issues and all associated MRs. If expanding this container to include MRs is too technically complex, we can consider a separate Related MRs container (along the lines of the Related vulnerabilities container proposed in this issue.)

Screenshot 2025-06-17 at 4.21.09 PM.png

Notes/ Questions

  • This may only apply to private projects. For public projects, like GitLab, our appsec team creates the MR in a private forked repo. Could we somehow create the related MR in that private forked repo?
Edited by Becka Lippert