Proper fix for vulnerability resolution
See Design Issue and parent Epic for details.
Implementation Plan
Each of these tasks can be a separate MR:
- [ ] Extend GraphQL (should be resolved in scope of #227113 (closed))VulnerabilityType
to return resolved_on_default_branch
-
backend Create a resolved_on_default_branch
column in thevulnerabilities
table and set that value from the pipeline. We would probably need to default tonil
to indicate the check has not been run yet. With this change, we would check the database value first, then calculate using the existing method. -
backend Remove a method resolved_on_default_branch
fromVulnerability
model -
backend Prepare a background migration to set the value as needed (you could use https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/database/migrations/background_migration_helpers.rb#L58). -
backend Extend Security::StoreReportService
with logic that calculates if Vulnerability isresolved_on_default_branch
: simply take all vulnerabilities that are not found in report occurrences and setresolved_on_default_branch
to true; remember about settingresolved_on_default_branch
to false if vulnerability is rediscovered.Security::StoreReportService
is used only inSecurity::StoreReportsService
, which is only used inStoreSecurityReportsWorker
which is scheduled in https://gitlab.com/gitlab-org/gitlab/blob/master/ee/app/models/ee/ci/pipeline.rb#L60 only if pipeline is running on the default branch.
Edited by Mehmet Emin INAC