What does this MR do?
During the review of Create a Vulnerability from Finding (API call for the backstage implementation of the First-class Vulnerabilities MVC), the maintainer had raised a hand about the inconsistency in the
/projects/:id/vulnerabilities endpoint behavior. This API path currently returns different types of objects depending on the
first_class_vulnerabilities feature flag state:
Vulnerability instances in case
first_class_vulnerabilities is enabled and
Vulnerabilities::Occurrence instances otherwise.
first_class_vulnerabilities feature flag controls the availability of the upcoming MVC Standalone Vulnerability objects (aka First-class Vulnerabilities) functionality.
There was a decision to reserve the
/projects/:id/vulnerabilities for serving the
Vulnerability instances only regardless of the
first_class_vulnerabilities feature flag state. The current implementation of it is moved to
/projects/:id/vulnerability_findings API path. Initially, this change was planned to be covered with a feature flag and released together with #13561 (closed). This decision makes this change immediate breaking change for the current Vulnerabilities API consumers.
To be noted:
- current Vulnerabilities API is in the Alpha stage and the warning about possible breaking changes is explicit
- this API is used by GitLab frontend, the corresponding changes were made to switch the API path used
Here are the changes that move the Vulnerabilities API to become Vulnerability Findings API. The term
Finding is the new name for
Occurrence. More on terminology here.
Does this MR meet the acceptance criteria?
Documentation created/updated or follow-up review issue created
Code review guidelines
- [-] Merge request performance guidelines
- [-] Database guides
Separation of EE specific content
Availability and Testing
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
- [-] Tested in all supported browsers
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team