Send finding description to Duo for vulnerability resolution

Michael Beckerrequested to merge
526865-duo-vr-missing-vulnerability_description-input into master

What does this MR do and why?

Context

It was noted that we do not currently send the description of a vulnerability to Duo during the "resolve vulnerability" duo workflow.

This may have been intentional, due to the description eating up a lot of tokens.

This change

While looking into this issue, I noticed that the graphql endpoint tries to take the descritption from the vulnerability or the finding1:

def description
  object.description || object.finding_description
end

Here, I am making the Duo request logic match the graphql logic, and adding a regression test.

I have put the change behind a user-level FF to allow our team to do some QA, and make sure token exhaustion is no longer an issue.

Screenshots or screen recordings

Before After
image image

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

related to: #526865 (closed)
related to: https://gitlab.com/gitlab-org/gitlab/-/issues/535606
Changelog: fixed
EE: true

  1. More detailed discussion and investigation notes can be read in this thread on the issue.

Edited by Michael Becker

Merge request reports