Create a merge request from a vulnerability solution
Problem to solve
GitLab is able to suggest solutions for security vulnerabilities as part of the details info.
In some cases, it is also possible to get a patch that can be applied to the codebase to fix the problem.
At the moment, users have to download the patch, apply to the local repository, and then push changes back to the remote repository.
This process should be automated.
Users should still be able to download the patch, since they may want to look at changes before committing into the codebase. We can allow to choose what they want to do via a dropdown button or another similar way.
Add a button to automatically create a merge request with the proposed changes.
This should be available in every place where the patch could be downloaded.
Once the button is pressed, the following actions are executed:
- a new branch is created
- the patch is committed in the new branch
- a new merge request is created, with the new branch as the source, and the branch where the security reports belongs as the target
We can also consider to commit the changes and then open the merge request creation page, where users can manually confirm it. This is the same flow we have when changing a file via the UI.
- frontend: change the Create issue button in the vulnerability details window into a button dropdown, with Create a merge request (default) and Create issue as possible actions
- backend: create a new branch, commit the patch, create (open create page?) a new MR
- frontend/backend: usage ping (via snowplow on the button - or via backend when receiving the request)
We should take a look at the Web IDE and figure out if there is something we can reuse.
- TODO: The initial backend implementation done with https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/9326 covers creation of the merge request targeting the repository's default branch. A follow-up MR is needed to add the more complex logic for changing the target branch to the originating branch of the vulnerability occurrence.
|Create MR button selected||Create issue button selected|
|Initial list state||Hover state - over create issue||Hover state - over create MR|
|Issue has been created from this vuln||MR has been created from this vuln||both MR and Issue have been created from this vuln|
|MR Title: "Fix vulnerability:[vulnerability name]"|
|MR Description: Same as issue descriptions created from vulnerabilities.|
What does success look like, and how can we measure that?
Number of merge requests created using this feature.