Use security_findings for security MR widget report comparison
Background context
We had an epic to move from using report artifices for vulnerability finding comparisons. That epic is complete, and the pertinent information is now available in the finding_data
jsonb
column on the security_findings table
This issue
The security MR widget is one feature that relied on the original technique of using report artifacts for comparisons. As such, it can now be migrated to using the new finding_data
column.
The way this widget currently works is:
- Builds a
Ci::CompareSecurityReportsService
comparer service to compare a report generated from the MR's latest pipeline to the report generated from the default branch- This service uses
Security::PipelineVulnerabilitiesFinder
to build the reports for comparison (it is named a finder, but returnsSecurity::AggregatedReport
objects)- This finder finds all the findings via report artifacts (the logic we want to migrate away from)
- Then sorts these findings by
severity
- Then uses these findings to return a
Security::AggregatedReport
- This service uses
Implementation Plan
-
Extend widget polling until the `Security::Stor... (#457851) • Michael Becker • Backlog -
We can use Security::FindingsFinder
to fetch the findings from the new database table- This finder returns the findings, not a
Security::AggregatedReport
- The value from this finder is paginated and scoped to 20 by default, we will need all the results to match the current behavior
-
the existing behavior is scoped tonot an issue asall
, which includesdismissed
findingsSecurity::FindingsFinder
also can take ascope: 'all'
option
- This finder returns the findings, not a
-
Verify the Vulnerability creation from Security Reports docs are still accurate
Testing
-
Make sure e2e:package-and-test
is run in the MR and review results.
Verification steps
tbd
Edited by Michael Becker