Add Severity Override Metadata to MR Widget Calls

Background

The Merge Request (MR) Widget and MR Changes Inline Popover do not incorporate severity override metadata in their respective API and GraphQL calls. This issue addresses this gap and ensures that severity override information is appropriately included and utilized in these MR-related features.

MR Widget

  • Uses an API call to merge_requests_controller.rb
  • Utilizes PipelineVulnerabilitiesFinder, which:
    • Downloads pipeline report artifacts
    • Compares them with the latest MR destination pipeline artifact
    • Identifies new and fixed vulnerabilities
  • MergeRequestSecurityReportGenerationService is used to:
    • Fetch existing vulnerabilities records corresponding to the UUID of the report finding
    • Override the original state if a matching vulnerability record exists

MR Changes Inline Popover

  • Uses a GraphQL call to getMRCodequalityAndSecurityReportsEE.
  • Similar to the MR widget:
    • Downloads pipeline report artifacts
    • Compares them with the latest MR destination pipeline artifact
    • Identifies new vulnerabilities

Proposed Solution

We must add severity override metadata to the API and GraphQL calls used by the MR Widget and MR Changes Inline Popover. This should include:

  1. Updating the API call in merge_requests_controller.rb to include severity override metadata.
  2. Modifying PipelineVulnerabilitiesFinder to consider severity override information when processing vulnerabilities.
  3. Enhancing MergeRequestSecurityReportGenerationService to override the state and consider and apply severity overrides.
  4. Updating the getMRCodequalityAndSecurityReportsEE GraphQL query to include severity override metadata.
  5. Ensuring that the MR Widget and MR Changes Inline Popover display the overridden severity when applicable.

Expected Outcome

After implementing these changes:

  • The MR Widget should display accurate severity information, including any overrides, for all vulnerabilities.
  • Considering any manual overrides, the MR Changes Inline Popover should reflect the correct severity.
  • There should be consistency between the severity information displayed in the MR Widget, MR Changes Inline Popover, and other security features within GitLab.
Edited by Miki Amos