Vulnerability merge_requests field

Scott Hamptonrequested to merge
503408-vuln-merge-requests-field into master

What does this MR do and why?

Vulnerabilities support multiple linked merge requests, but the API only exposes one merge request. When there are multiple added, the merge request exposed is chosen in a non-deterministic way.

This merge request adds a merge_requests field to the graphql vulnerability type.

It also forces merge_request to be the oldest MR in the list.

References

Related to #503408

Related to #556999

Screenshots or screen recordings

Screenshot_2025-08-22_at_10.40.12_AM

How to set up and validate locally

  1. Find a project with vulnerabilities
  2. Create two MRs
  3. Link the MRs to the vulnerability via the VulnerabilityMergeRequestLinks::CreateService class
  4. In the graphql explorer, make the following query and verify that it returns the expected response
query getVulnerability {
  vulnerability(id: "gid://gitlab/Vulnerability/<vulnerability-gid>") {
    id
    mergeRequest {
      id
      title
    }
    mergeRequests {
      nodes {
        id
        title
      }
    }
  }
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports