Skip to content

Backfill for `vulnerability_reads.has_vulnerability_resolution`

Michael Beckerrequested to merge
486530-vr-filtering-backfill-migration into master

What does this MR do and why?

Context

We need to be able to filter vulnerabilities on whether they have the "Resolve with Duo" button enabled.

This button is enabled if a finding's CWE value is included in this hard-coded list of CWE values.

In previous MRs we:

  • Added a new column to support this filter 1
  • Began populating this column for new rows 2
  • Added a scope to filter on this column 3

This commit

This commit adds the batched background migration to backfill the existing rows.

Note

In the model code, we define cwe_value like this:

    def cwe_value
      identifiers.find(&:cwe?)&.name
    end

find will stop at the first vulnerability_identifier that has an external_id == CWE

So, given the following scenario:

  • We have a vulnerability_finding that has 2 identifiers
  • both identifiers are cwe identifiers
  • the first identifier is NOT in HIGH_CONFIDENCE_AI_RESOLUTION_CWES, but the second is

Then the application code would return false for ai_resolution_enabled?, whereas this backfill will mark it as true

Our current business logic for SAST rules does not actually allow multiple CWE identifiers, so this is not a real scenario in production 4

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Changelog: added
EE: true
Resolves: #486530 (closed)
MR: !166110 (merged)
Epic: &15036 (closed)

  1. !165548 (merged)

  2. !165952 (merged)

  3. !166312 (merged)

  4. !166110 (comment 2120772688)

Edited by Michael Becker

Merge request reports