Skip to content

Give Developers the ability to create Issues from Vulnerabilities

mo khan requested to merge mokhax/457981/developer-create-issue-from-vulnerability into master

What does this MR do and why?

This change allows Developer+ roles the ability to create an Issue from a Vulnerability. This is currently only available to Maintainer+.

#457981 (closed)

Below is a visual representation of the call stack for the Mutation.securityFindingCreateIssue. This mutation calls invokes multiple service objects that each authorize against a different permission.

Mutations::Security::Finding::CreateIssue
  --> Vulnerabilities::SecurityFinding::CreateIssueService
    --> Vulnerabilities::FindOrCreateFromSecurityFindingService
      --> Vulnerabilities::CreateService
        --> Statistics::UpdateService
        --> SystemNoteService
          --> ::SystemNotes::VulnerabilitiesService
      --> Vulnerabilities::Findings::FindOrCreateFromSecurityFindingService
    --> Issues::CreateFromVulnerabilityService
      --> Issues::CreateService
    --> VulnerabilityIssueLinks::CreateService

I have done my best to align the permissions across these services to allow a Developer to create an issue. Below is a table of the before and after permission check for each service object.

Service Before After
Mutations::Security::Finding::CreateIssue :admin_vulnerability :read_security_resource
--> Vulnerabilities::SecurityFinding::CreateIssueService :read_security_resource :read_security_resource
--> Vulnerabilities::FindOrCreateFromSecurityFindingService :admin_vulnerability :read_security_resource
--> Vulnerabilities::CreateService :admin_vulnerability :read_security_resource
--> Statistics::UpdateService
--> SystemNoteService
--> SystemNotes::VulnerabilitiesService
--> Vulnerabilities::Findings::FindOrCreateFromSecurityFindingService
--> Issues::CreateFromVulnerabilityService :create_issue :create_issue
--> Issues::CreateService :create_issue :create_issue
--> VulnerabilityIssueLinks::CreateService :admin_vulnerability_issue_link :admin_vulnerability_issue_link

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before After
Before: Pipeline Security Tab Before: Vulnerability Page Before: Merge Request Widget After: Pipeline Security Tab After: Vulnerability Page After: Merge Request Widget

How to set up and validate locally

  1. Login as a Developer
  2. Visit any vulnerability report such as http://gdk.test:3000/groups/flightjs/-/security/vulnerabilities
  3. Click on a Vulnerability link.
  4. Verify that the Create issue button is enabled.
  5. Visit a merge request that introduces a vulnerable dependency.
  6. Expand the Security scanning detected ... widget
  7. Click on a Vulnerability
  8. Verify that the Create issue button is enabled.
  9. Click on the Pipelines tab
  10. Click on the latest pipeline
  11. Click on the Security tab
  12. Verify that the Create issue icon appears for each row in the vulnerability list
Edited by mo khan

Merge request reports