Rename Vulnerabilities to Findings in Groups security routes
What does this MR do?
This MR adds to the step Rename existing Vulnerabilities API to Vulnerability Findings API
of First-class vulnerabilities backend MVC implementation for the Groups
routes that power the Group Security Dashboard.
This change is reflecting a major shift in what will be now called Vulnerabilities
. Previously, the routes and API endpoints used the term vulnerabilities
when the deal was about Vulnerability::Occurrence
manipulation. The assumed relationship was 1-1
, so the Occurrences
were Vulnerabilities
. First-class Vulnerabilities feature introduces a new separate entity Vulnerability
as an epic-like object which groups separate Occurrences
of it. The Occurrences
get a new name - Findings
. And the relationship between Vulnerability
and Findings
is 1-*
. See more on terminology here.
That is why we're changing our APIs (both external and internal) to use the vulnerabilities
term only when they are really working with Vulnerabilities
. Otherwise, we rename them to use the vulnerability_findings
term. But because we have to cover this change with feature flag, we have to support both APIs and toggle the behavior inside of them.
Both old and new routes will be present in the routes table since it's generated upon app initialization and gets preloaded by the webserver. Thus, routing is difficult to change in runtime when the feature flag is switched. That's why we manipulate the routing at the controller level. It's similar to how it's implemented for the Vulnerability Findings REST API
.
Does this MR meet the acceptance criteria?
Conformity
- [-] Changelog entry
- [-] Documentation created/updated or follow-up review issue created
-
Code review guidelines - [-] Merge request performance guidelines
-
Style guides - [-] Database guides
-
Separation of EE specific content
Performance and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team