Skip to content

API call for Resolve Vulnerability

Victor Zagorodny requested to merge 10242-resolve-vulnerability into master

What does this MR do?

This MR adds a Resolve Vulnerability API call to the new Vulnerabilities API which is one of the backstage changes required to implement the First-class Vulnerabilities MVC functionality. This is a huge feature with lots of new and changed terminology behind it, so here's a brief overview:

  • a Vulnerability is an epic-like object (could become Issuable in future) to accumulate the full information about a unique vulnerability detected in a project: identifier (e.g. CVE-2019-1234567), severity, etc.
  • it can have many places where it was detected in the project's source code
  • such places are called Findings (previously they were called Occurrences and still the DB table behind them is called vulnerability_occurrences; this will be renamed later)
  • a Vulnerability has a persisted state, currently, it's an enum: opened, closed
  • a resolution of a Vulnerability moves it from opened to closed state
  • a Finding has a computed state based on the presence of the corresponding dismissal Feedback recond, presence and state of its associated Vulnerability; it's an enum: new, confirmed, resolved, dismissed
  • sidenote: a dismissal of a Vulnerability also moves it from opened to closed state also it creates Vulnerabilities::Feedback records for the associated Findings of type dismissal; this helps to distinguish between dismissed and resolved Findings

More on terminology behind First-class Vulnerabilities domain here.

This change is behind a feature flag defaulting to false, so:

  • The documentation is not included in this MR, this is decided to do later
  • When the feature flag is disabled, the endpoint responds with 404 Not Found
  • There's no changelog entry for this MR
  • There's an issue for removal of the feature flag

Does this MR meet the acceptance criteria?

Conformity

Performance and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Victor Zagorodny

Merge request reports