Skip to content

Move Vulnerabilities API to Vulnerability Findings API

What does this MR do?


During the review of Create a Vulnerability from Finding (API call for the backstage implementation of the First-class Vulnerabilities MVC), the maintainer had raised a hand about the inconsistency in the /projects/:id/vulnerabilities endpoint behavior. This API path currently returns different types of objects depending on the first_class_vulnerabilities feature flag state: Vulnerability instances in case first_class_vulnerabilities is enabled and Vulnerabilities::Occurrence instances otherwise.

first_class_vulnerabilities feature flag controls the availability of the upcoming MVC Standalone Vulnerability objects (aka First-class Vulnerabilities) functionality.

There was a decision to reserve the /projects/:id/vulnerabilities for serving the Vulnerability instances only regardless of the first_class_vulnerabilities feature flag state. The current implementation of it is moved to /projects/:id/vulnerability_findings API path. Initially, this change was planned to be covered with a feature flag and released together with #13561 (closed). This decision makes this change immediate breaking change for the current Vulnerabilities API consumers.

To be noted:

  • current Vulnerabilities API is in the Alpha stage and the warning about possible breaking changes is explicit
  • this API is used by GitLab frontend, the corresponding changes were made to switch the API path used

This MR

Here are the changes that move the Vulnerabilities API to become Vulnerability Findings API. The term Finding is the new name for Occurrence. More on terminology here.

Does this MR meet the acceptance criteria?


Availability and Testing


If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • [-] Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • [-] Security reports checked/validated by a reviewer from the AppSec team
Edited by Victor Zagorodny

Merge request reports