Add service to set vulnerability findings due dates (!227665) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Adds support for bulk setting due dates on vulnerability findings.

Introduces BulkSetDueDatesService, which handles authorization, validation, batching, and conflict resolution (last write wins). It supports creating, updating, and deleting due dates (due_date: nil) and uses upsert_all for efficient persistence.

Enforces a maximum of n findings per request, ensures all findings belong to the same project, and validates input structure and due date format. Only payload size limiting is enforced (no request rate limiting).

Adds feature flag vulnerability_finding_set_due_dates_api (disabled by default) and a by_finding_ids scope for efficient bulk deletion.

Query

Delete https://console.postgres.ai/gitlab/gitlab-production-sec/sessions/49999/commands/148594

Click to expand

DELETE FROM "vulnerability_finding_due_dates"
WHERE "vulnerability_finding_due_dates"."vulnerability_occurrence_id" IN (
  1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
  21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38,
  39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56,
  57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74,
  75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92,
  93, 94, 95, 96, 97, 98, 99, 100
)

Upsert: https://console.postgres.ai/gitlab/gitlab-production-sec/sessions/49999/commands/148596

Note: The vulnerability_occurrence_id in this query are retreived trough subquery

Click to expand

INSERT INTO "vulnerability_finding_due_dates"
("vulnerability_occurrence_id","project_id","due_date","created_at","updated_at")
VALUES
(1184, 77, '2026-03-30', '2026-03-20 17:55:54.045140', '2026-03-20 17:55:54.045140')
ON CONFLICT ("vulnerability_occurrence_id")
DO UPDATE SET
  due_date = EXCLUDED.due_date,
  updated_at = EXCLUDED.updated_at
WHERE vulnerability_finding_due_dates.due_date IS DISTINCT FROM EXCLUDED.due_date
RETURNING "id";

References

Issue: https://gitlab.com/gitlab-org/gitlab/-/work_items/592224+

Data model: Add vulnerability_finding_due_dates table to st... (!226308 - merged)

Screenshots or screen recordings

See !228083 (merged).

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Mar 30, 2026 by Ugo Nnanna Okeadu

Add service to set vulnerability findings due dates