Skip to content

Refactor vulnerability policy to move SAST check

Darby Frey requested to merge add-ai-explanation-available into master

What does this MR do and why?

This MR refactors the Vulnerability policy to move the AI_ALLOWED_REPORT_TYPES check out of the policy and into the Finding, so it will work in the same way the ai_resolution_available? / aiResolutionAvailable checks work. This will make it possible to use the ability checks on both the individual and list views.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Manual Checks

Since this change applies to the access policy I'm adding the manual checks from #478761 (closed)

Pick one of this demo project to clone:

A. Vulnerability Explanation

  1. Click on a SAST vulnerability
  2. Click on "Explain with AI"
  3. It triggers the duo chat drawer calling the /vulnerability_explain command
  4. It successfully display the AI response
  • Verified

B. Vulnerability Resolution

  1. Enable the FF vulnerability_resolution_ga (should already be on by default)
  2. Click on a SAST vulnerability

For high confidence CWE:

  1. It displays the button "Resolve with AI"
  2. When clicked, it creates the AI generated MR
  • Verified

For all other SAST:

  1. It displays the button "Resolve with AI"
  2. It is in a disabled state and has a "Learn more" link
  • Verified

C. Vulnerability Resolution (Experiment)

  1. Disable the FF vulnerability_resolution_ga
  2. Click on a SAST vulnerability
  3. It displays the experiment button "Resolve with merge request (experiment)"
  4. When clicked, it creates the AI generated MR
  • Verified
Edited by Darby Frey

Merge request reports