Expose comment field on Vulnerability GraphQL type, attempt 2

Michał Zającrequested to merge
388452-comment-not-added-when-using-vulnerabilitydismiss-mutation-attempt2 into master

What does this MR do and why?

!109661 (merged) was reverted due to performance problems (see #389497 (comment 1254563251)).

This MR attempts to solve those problems

Database review

Queries added

SELECT "vulnerability_state_transitions".* FROM "vulnerability_state_transitions" WHERE "vulnerability_state_transitions"."vulnerability_id" IN (712, 711, 710, 709, 708, 655, 654, 653, 652, 642, 641, 628, 581, 576, 574, 565, 699, 669, 660, 645, 637, 636, 632, 631, 630, 629, 625, 623, 617, 615, 612, 611, 608, 607, 606, 601, 600, 599, 597, 596, 595, 594, 592, 590, 589, 588, 586, 584, 578, 575, 571, 570, 563, 560, 559, 557, 556, 555, 553, 552, 551, 546, 545, 544, 543, 542, 713, 707, 706, 705, 704, 703, 702, 701, 700, 698, 697, 696, 695, 694, 693, 692, 691, 690, 688, 687, 685, 684, 683, 682, 681, 680, 679, 678, 677, 676, 675, 674, 673, 672, 671)

Query plan: https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/14940/commands/52069

How to set up and validate locally

  1. Checkout this branch
  2. Set up a project with Vulnerabilities
  3. Dismiss one Vulnerability using the following GraphQL mutation
mutation {
  vulnerabilityDismiss(input: { id: "gid://gitlab/Vulnerability/VULN_ID_HERE", 
    comment: "test comment gql"
  })
    {
    vulnerability {
      id
      comment
      state
      dismissedAt
      dismissedBy{
        id
      }
    }
  }
}
  1. Update the Vulnerabilties::StateTransition#comment so it's easier to see the result
st = Vulnerabilities::StateTransition.where(vulnerability_id: VULN_ID_HERE).last
st.update(comment: "TEST STATETRANSITIONS COMMENT")
  1. You can verify it's different from Vulnerabilties::Feedback#comment with
Vulnerability.find(VULN_ID_HERE).finding.feedbacks.last.comment # comment should be `test comment gql`.
Vulnerability.find(VULN_ID_HERE).state_transitions.last.comment # comment should be `TEST STATETRANSITIONS COMMENT`
  1. Issue the following GraphQL
query {
  project(fullPath:"root/security-reports") {
    vulnerabilities {
      nodes {
        id
        stateComment
      }
    }
  }
}
  1. stateComment should be test comment gql
  2. Feature.enable(:deprecate_vulnerabilities_feedback) in Rails console
  3. Reissue the query from step 6.
  4. stateComment should be TEST STATETRANSITIONS COMMENT

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #388452 (closed)

Merge request reports