Draft: fix: reinstate vulnerability read trigger flag

Duo Developerrequested to merge
workloads/602ac77a16f into master

Relates to issue #580521

Changes

This MR reinstates the vulnerability read database trigger feature flag implementation from !208297 (merged) to ensure safe transition away from database triggers.

Infrastructure

  • Added feature flag transaction helper methods to SecApplicationRecord:
    • feature_flagged_transaction_for(projects) - wraps transactions with feature flag passing
    • db_trigger_flag_not_set? - checks if feature flag is set
    • pass_feature_flag_to_vuln_reads_db_trigger(projects) - passes flag to DB trigger
  • Created EnforceVulnerabilityReadDbTriggerFf concern to enforce feature flag usage in transactions

Model Extensions

  • Extended Vulnerability, Vulnerabilities::Finding, Vulnerabilities::MergeRequestLink, and Vulnerabilities::Read models with enforcement concern
  • Added pluck_distinct_project_ids scope to Vulnerability model

Service Updates

Updated 14 vulnerability services to use feature_flagged_transaction_for:

  • Vulnerabilities::Archival::Restoration::RestoreBatchService
  • Vulnerabilities::Archival::ArchiveBatchService
  • Vulnerabilities::BaseService
  • Vulnerabilities::BaseStateTransitionService
  • Vulnerabilities::BulkDismissService
  • Vulnerabilities::BulkSeverityOverrideService
  • Vulnerabilities::CreateService
  • Vulnerabilities::FindOrCreateFromSecurityFindingService
  • Vulnerabilities::ManuallyCreateService
  • Vulnerabilities::AutoResolveService
  • Vulnerabilities::Removal::RemoveFromProjectService
  • Vulnerabilities::Findings::FindOrCreateFromSecurityFindingService
  • Vulnerabilities::Reads::UpsertService
  • Import::DirectReassignService (with special handling for Vulnerability models)

Impact

This implementation ensures the feature flag is always passed when creating or updating vulnerability reads, making the transition away from database triggers safer and more predictable.

Edited by Gregory Havenga

Merge request reports