Engineering DRIs: - @subashis (~backend) - @dftian (~frontend) ## Why are we doing this work `Vulnerabilities::Feedback` model has lots of design issues and we want to use more specific models instead of a generic one. This refactor also has a performance benefit on the vulnerability report displayed in the pipeline security tab because there will be one less join in the query. ### Release timeline This is a complex project with many issues, data migrations and cross-project dependencies. Therefore we are unable to release it within a single milestone. Our feature flag rollout issue has a timeline for when we plan to release the feedback deprecation and MR V2 work for gitlab.com and self-managed instances. [Release timeframe](https://gitlab.com/gitlab-org/gitlab/-/issues/361797#when-is-the-feature-viable) ## Special note This epic is blocked by this issue: https://gitlab.com/gitlab-org/gitlab/-/issues/390281+, part of our effort to create a new version of the MR Security Widget (aka "V2"). While we can deprecate feedback usage on the vulnerability details page and the pipeline security tab, the finding data used by the MR security widget is cached, and the widget currently calls a separate `vulnerability_feedback` endpoint to get fresh data for the finding's status. We can't use the cached data (which can be up to 10 minutes out of date), and we don't have a replacement endpoint that doesn't use the feedback object until #390281 is complete, so this will block the epic from being completed until that work is done first. ## Relevant links - [Discussion in spike issue](https://gitlab.com/gitlab-org/gitlab/-/issues/225590#note_407303028) - [Discussion in issue regarding comments on Vulnerability state changes](https://gitlab.com/gitlab-org/gitlab/-/issues/323129) - https://gitlab.com/groups/gitlab-org/-/epics/9552+ ## Non-functional requirements - [ ] Documentation: https://docs.google.com/document/d/1se3qnTH3bOuL9j-A4Kyu_au6eZlzU1zuvGzbOUj_fAw/preview - [ ] Feature flag: `deprecate_vulnerabilities_feedback`