Use merge request links on pipeline security tab
What does this MR do and why?
As part of the vulnerability feedback deprecation, we are switching from using the merge_request_feedback property in the finding to the merge_request_links property. This MR does the switch for the findings in the pipeline security tab. The property is used to control whether the "Resolve with merge request" button is shown in the finding modal, and if there's a merge request, the merge request note:
| Old/new property | Resolve with MR button | Merge request note |
|---|---|---|
 |
 |
 |
How to set up and validate locally
- This is behind the feature flag
deprecate_vulnerabilities_feedback, but don't enable it yet. - Clone https://gitlab.com/svedova/test-remediations-v2 and run a pipeline against the main branch.
- Go to the pipeline's security tab. You should see 2 vulnerabilities. Click on one of them to open the modal.
- This is where it gets a bit tricky. Both the old and new properties are in the finding and they mirror each other, so doing something to one will also update the other. This means that the code could be using the wrong property but still work. The best way I can think of to verify that the correct property is being used, is to manually modify the property and see if the UI responds:
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #390071 (closed)
Edited by Daniel Tian