Add `Mutations::SecurityFinding::CreateIssue` GraphQL mutation

What does this MR do and why?

Related issue: Create `Mutations::SecurityFinding::CreateIssue` (#361948 - closed)

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Scenario 1: There is no report_finding for the security_finding.

1. Start the rails console and enable the feature_flag

rails c
Feature.enable(:deprecate_vulnerabilities_feedback)

2. Create a new Security::Finding

security_finding = Security::Finding.last.dup
security_finding.uuid = SecureRandom.uuid
security_finding.save

3. Check the Vulnerability count.

Vulnerability.count
   (10.4ms)  SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):1:in `__pry__'*/
=> 154

4. Check the Issue count.

Issue.count
   (13.4ms)  SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):2:in `__pry__'*/
=> 498

5. Check the Vulnerabilities::IssueLink count. It should have increased by 1

Vulnerabilities::IssueLink.count
   (0.6ms)  SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):34:in `__pry__'*/
=> 52

6. go to /-/graphql-explorer

mutation securityFindingCreateIssue($input: SecurityFindingCreateIssueInput!) {
  securityFindingCreateIssue(input: $input) {
    issue{
      title
    }
    errors
  }
}

{
  "input": {
    "project": "gid://gitlab/Project/24",
    "uuid": "6732cb09-0524-4747-8f0b-d485a65db02f"
  }
}

You should get a response like

{
  "data": {
    "securityFindingCreateIssue": {
      "issue": null,
      "errors": [
        "Report Finding not found"
      ]
    }
  }
}

7. Check the Vulnerability count. It should not have increased.

Vulnerability.count
   (0.5ms)  SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):4:in `__pry__'*/
=> 154

8. Check the Issue count. It should not have increased.

Issue.count
   (0.5ms)  SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):5:in `__pry__'*/
=> 498

9. Check the Vulnerabilities::IssueLink count. It should have increased by 1

Vulnerabilities::IssueLink.count
   (0.6ms)  SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):34:in `__pry__'*/
=> 52

Add vulnerability_findings

Follow the steps described here

Scenario 2: There is a vulnerability_finding and a vulnerability for the security_finding.

# Find the scan related to the pipeline which created the security_findings
scan = Security::Scan.where(pipeline_id: 750, scan_type: 'sast').last

Vulnerabilities::Finding.where.not(vulnerability_id: nil).where(uuid: [Security::Finding.where(scan_id: scan.id).map(&:uuid)]).first.uuid

3. Check the Vulnerability count.

Vulnerability.count
   (2.4ms)  SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):27:in `__pry__'*/
=> 298

4. Check the Issue count.

Issue.count
   (13.4ms)  SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):2:in `__pry__'*/
=> 498

5. Check the Vulnerabilities::IssueLink count.

Vulnerabilities::IssueLink.count
   (0.6ms)  SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):34:in `__pry__'*/
=> 52

5. go to /-/graphql-explorer and add the query:

mutation securityFindingCreateIssue($input: SecurityFindingCreateIssueInput!) {
  securityFindingCreateIssue(input: $input) {
    issue{
      title
    }
    errors
  }
}

6. Fill the input with the project gid and the UUID of the security_finding we created

{
  "input": {
    "project": "gid://gitlab/Project/24",
    "uuid": "f60b9049-6cc1-585c-ad65-6a36597071da"
  }
}

7. Check the response

{
  "data": {
    "securityFindingCreateIssue": {
      "issue": {
        "title": "Investigate vulnerability: Hardcoded constant database password",
        "type": "ISSUE",
        "severity": "UNKNOWN",
        "state": "opened"
      },
      "errors": []
    }
  }
}

6. Check the Vulnerability count. It shouldn't have increased

Vulnerability.count
[31] pry(main)> Vulnerability.count
   (0.5ms)  SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):31:in `__pry__'*/
=> 298

7. Check the Issue count. It should have increased by 1

Issue.count
[32] pry(main)> Issue.count
   (0.7ms)  SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):32:in `__pry__'*/
=> 499

8. Check the Vulnerabilities::IssueLink count. It should have increased by 1

[34] pry(main)> Vulnerabilities::IssueLink.count
   (0.6ms)  SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):34:in `__pry__'*/
=> 53

Scenario 3: There is an issue_link for the security_finding.

1. Check the Vulnerability count.

Vulnerability.count
   (2.4ms)  SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):27:in `__pry__'*/
=> 298

2. Check the Issue count.

Issue.count
   (13.4ms)  SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):2:in `__pry__'*/
=> 498

3. Check the Vulnerabilities::IssueLink count.

Vulnerabilities::IssueLink.count
   (0.6ms)  SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):34:in `__pry__'*/
=> 52

4. go to /-/graphql-explorer and add the query:

mutation securityFindingCreateIssue($input: SecurityFindingCreateIssueInput!) {
  securityFindingCreateIssue(input: $input) {
    issue{
      title
    }
    errors
  }
}

5. Fill the input with the project gid and the same UUID of the security_finding we created for the scenario 2

{
  "input": {
    "project": "gid://gitlab/Project/24",
    "uuid": "f60b9049-6cc1-585c-ad65-6a36597071da"
  }
}

7. Check the response

{
  "data": {
    "securityFindingCreateIssue": {
      "issue": null,
      "errors": [
        "Vulnerability already has a \"created\" issue link"
      ]
    }
  }
}

6. Check the Vulnerability count. It shouldn't have increased

Vulnerability.count
[31] pry(main)> Vulnerability.count
   (0.5ms)  SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):31:in `__pry__'*/
=> 298

7. Check the Issue count. It shouldn't have increased

Issue.count
[32] pry(main)> Issue.count
   (0.7ms)  SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):32:in `__pry__'*/
=> 499

8. Check the Vulnerabilities::IssueLink count. It shouldn't have increased

[34] pry(main)> Vulnerabilities::IssueLink.count
   (0.6ms)  SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):34:in `__pry__'*/
=> 53

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.