Skip to content

GitLab Next

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 42,948
    • Issues 42,948
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,375
    • Merge requests 1,375
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

GitLab 15.0 is launching on May 22! This version brings many exciting improvements, but also removes deprecated features and introduces breaking changes that may impact your workflow. To see what is being deprecated and removed, please visit Breaking changes in 15.0 and Deprecations.

  • GitLab.org
  • GitLabGitLab
  • Merge requests
  • !19029

Move Vulnerabilities API to Vulnerability Findings API

  • Review changes

  • Download
  • Email patches
  • Plain diff
Merged
Victor Zagorodny requested to merge 10242-move-old-vulns-api-to-vuln-findings into master Oct 23, 2019
  • Overview 17
  • Commits 3
  • Pipelines 9
  • Changes 14

What does this MR do?

Background

During the review of Create a Vulnerability from Finding (API call for the backstage implementation of the First-class Vulnerabilities MVC), the maintainer had raised a hand about the inconsistency in the /projects/:id/vulnerabilities endpoint behavior. This API path currently returns different types of objects depending on the first_class_vulnerabilities feature flag state: Vulnerability instances in case first_class_vulnerabilities is enabled and Vulnerabilities::Occurrence instances otherwise.

first_class_vulnerabilities feature flag controls the availability of the upcoming MVC Standalone Vulnerability objects (aka First-class Vulnerabilities) functionality.

There was a decision to reserve the /projects/:id/vulnerabilities for serving the Vulnerability instances only regardless of the first_class_vulnerabilities feature flag state. The current implementation of it is moved to /projects/:id/vulnerability_findings API path. Initially, this change was planned to be covered with a feature flag and released together with #13561 (closed). This decision makes this change immediate breaking change for the current Vulnerabilities API consumers.

To be noted:

  • current Vulnerabilities API is in the Alpha stage and the warning about possible breaking changes is explicit
  • this API is used by GitLab frontend, the corresponding changes were made to switch the API path used

This MR

Here are the changes that move the Vulnerabilities API to become Vulnerability Findings API. The term Finding is the new name for Occurrence. More on terminology here.

Does this MR meet the acceptance criteria?

Conformity

  • Changelog entry
  • Documentation created/updated or follow-up review issue created
  • Code review guidelines
  • [-] Merge request performance guidelines
  • Style guides
  • [-] Database guides
  • Separation of EE specific content

Availability and Testing

  • Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
  • [-] Tested in all supported browsers

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • [-] Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • [-] Security reports checked/validated by a reviewer from the AppSec team
Edited Oct 25, 2019 by Victor Zagorodny
Assignee
Assign to
Reviewer
Request review from
Time tracking
Source branch: 10242-move-old-vulns-api-to-vuln-findings