Resolve "Vulnerabilities must have report_type attribute"
What does this MR do?
Adds the report_type
attribute for the newly added Vulnerability
model and resolves #34431 (closed). Initially, it was decided to not link the Vulnerability to the concept of the report_type
. But gradually, it has been realized that all Findings that belong to a single specific Vulnerability are reported by an analyzer of a certain report type. And it's unlikely that a Vulnerability will refer to Findings reported by multiple analyzers.
See more on Vulnerabilities and Findings in the terminology glossary. Briefly, a Finding (was called Occurrence before) represents a particular location in the analyzed project's source code, configuration, or dependencies where the vulnerability is located. For a long time, it was the only entity related to the vulnerabilities' detection. But, later on the idea came up to introduce Vulnerabilities as first-class objects that can be referred by a unique URL link and managed like Issue or Epic (have discussion threads, open/closed state, etc.).
In the MVC version of First-class Vulnerabilities the functionality of Vulnerabilities is pretty narrow and the full list of initially supported API operations is listed here.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation created/updated or follow-up review issue created | because it's an MVC hidden behind the feature flag, the docs are added to the MR with docs' stubs that will be published later -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team