Skip to content

Resolve "Vulnerabilities must have report_type attribute"

Victor Zagorodny requested to merge 34431-add-report-type-vulnerabilities into master

What does this MR do?

Adds the report_type attribute for the newly added Vulnerability model and resolves #34431 (closed). Initially, it was decided to not link the Vulnerability to the concept of the report_type. But gradually, it has been realized that all Findings that belong to a single specific Vulnerability are reported by an analyzer of a certain report type. And it's unlikely that a Vulnerability will refer to Findings reported by multiple analyzers.

See more on Vulnerabilities and Findings in the terminology glossary. Briefly, a Finding (was called Occurrence before) represents a particular location in the analyzed project's source code, configuration, or dependencies where the vulnerability is located. For a long time, it was the only entity related to the vulnerabilities' detection. But, later on the idea came up to introduce Vulnerabilities as first-class objects that can be referred by a unique URL link and managed like Issue or Epic (have discussion threads, open/closed state, etc.).

In the MVC version of First-class Vulnerabilities the functionality of Vulnerabilities is pretty narrow and the full list of initially supported API operations is listed here.

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • [-] Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • [-] Security reports checked/validated by a reviewer from the AppSec team
Edited by Victor Zagorodny

Merge request reports