Remove vulnerability_special_references feature flag

This change removes feature flag for vulnerability special references

doc/user/markdown.md

@@ -431,7 +431,7 @@ GFM recognizes the following:
 | merge request                   | `!123`                     | `namespace/project!123`                 | `project!123`                  |
 | snippet                         | `$123`                     | `namespace/project$123`                 | `project$123`                  |
 | epic **(ULTIMATE)**             | `&123`                     | `group1/subgroup&123`                   |                                |
-| vulnerability **(ULTIMATE)** *(1)* | `[vulnerability:123]`   | `[vulnerability:namespace/project/123]` | `[vulnerability:project/123]`  |
+| vulnerability **(ULTIMATE)**    | `[vulnerability:123]`      | `[vulnerability:namespace/project/123]` | `[vulnerability:project/123]`  |
 | label by ID                     | `~123`                     | `namespace/project~123`                 | `project~123`                  |
 | one-word label by name          | `~bug`                     | `namespace/project~bug`                 | `project~bug`                  |
 | multi-word label by name        | `~"feature request"`       | `namespace/project~"feature request"`   | `project~"feature request"`    |
@@ -445,26 +445,6 @@ GFM recognizes the following:
 | repository file line references | `[README](doc/README#L13)` |                                         |                                |
 | [alert](../operations/incident_management/alerts.md) | `^alert#123` | `namespace/project^alert#123`    | `project^alert#123`            |
 
-1. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/281035) in GitLab 13.6.
-
-    The Vulnerability special references feature is under development but ready for production use.
-    It is deployed behind a feature flag that is **disabled by default**.
-    [GitLab administrators with access to the GitLab Rails console](../administration/feature_flags.md)
-    can opt to enable it for your instance.
-    It's disabled on GitLab.com.
-
-    To disable it:
-
-    ```ruby
-    Feature.disable(:vulnerability_special_references)
-    ```
-
-    To enable it:
-
-    ```ruby
-    Feature.enable(:vulnerability_special_references)
-    ```
-
 For example, referencing an issue by using `#123` will format the output as a link
 to issue number 123 with text `#123`. Likewise, a link to issue number 123 will be
 recognized and formatted with text `#123`.

ee/app/helpers/ee/application_helper.rb

@@ -96,7 +96,7 @@ module EE
     def autocomplete_data_sources(object, noteable_type)
       return {} unless object && noteable_type
 
-      enabled_for_vulnerabilities = object.feature_available?(:security_dashboard) && ::Feature.enabled?(:vulnerability_special_references, object)
+      enabled_for_vulnerabilities = object.feature_available?(:security_dashboard)
 
       if object.is_a?(Group)
         {

ee/changelogs/unreleased/287628-remove-vulnerability_special_references-feature-flag.yml

+---
+title: Remove vulnerability_special_references feature flag
+merge_request: 49131
+author:
+type: removed

ee/config/feature_flags/development/vulnerability_special_references.yml

----
-name: vulnerability_special_references
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/47292
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/281035
-milestone: '13.6'
-type: development
-group: group::threat insights
-default_enabled: false

ee/lib/ee/banzai/filter/vulnerability_reference_filter.rb

@@ -45,7 +45,7 @@ module EE
         end
 
         def parent_records(parent, ids)
-          return ::Vulnerability.none if ids.blank? || parent.nil? || ::Feature.disabled?(:vulnerability_special_references, parent)
+          return ::Vulnerability.none if ids.blank? || parent.nil?
 
           parent.vulnerabilities.id_in(ids.to_a)
         end

ee/spec/lib/banzai/filter/vulnerability_reference_filters_spec.rb

@@ -19,191 +19,169 @@ RSpec.describe Banzai::Filter::VulnerabilityReferenceFilter do
     reference_filter(reference, context)
   end
 
-  context 'when vulnerability_special_references feature is disabled' do
+  context 'internal reference' do
     let(:reference) { "[vulnerability:#{vulnerability.id}]" }
 
-    before do
-      stub_feature_flags(vulnerability_special_references: false)
-    end
-
-    it 'does not link to a reference' do
-      expect(doc.css('a')).to be_empty
+    it 'links to a valid reference' do
+      expect(doc.css('a').first.attr('href')).to eq(urls.project_security_vulnerability_url(project, vulnerability))
     end
 
-    it 'leaves the adjacent text' do
+    it 'links with adjacent text' do
       expect(doc.text).to eq("Check #{reference}")
     end
-  end
 
-  context 'when vulnerability_special_references feature is enabled' do
-    before do
-      stub_feature_flags(vulnerability_special_references: true)
+    it 'includes a title attribute' do
+      expect(doc.css('a').first.attr('title')).to eq(vulnerability.title)
     end
 
-    context 'internal reference' do
-      let(:reference) { "[vulnerability:#{vulnerability.id}]" }
-
-      it 'links to a valid reference' do
-        expect(doc.css('a').first.attr('href')).to eq(urls.project_security_vulnerability_url(project, vulnerability))
-      end
+    it 'escapes the title attribute' do
+      vulnerability.update_column(:title, %{"></a>whatever<a title="})
 
-      it 'links with adjacent text' do
-        expect(doc.text).to eq("Check #{reference}")
-      end
-
-      it 'includes a title attribute' do
-        expect(doc.css('a').first.attr('title')).to eq(vulnerability.title)
-      end
-
-      it 'escapes the title attribute' do
-        vulnerability.update_column(:title, %{"></a>whatever<a title="})
-
-        expect(doc.text).to eq("Check #{reference}")
-      end
+      expect(doc.text).to eq("Check #{reference}")
+    end
 
-      it 'includes default classes' do
-        expect(doc.css('a').first.attr('class')).to eq('gfm gfm-vulnerability has-tooltip')
-      end
+    it 'includes default classes' do
+      expect(doc.css('a').first.attr('class')).to eq('gfm gfm-vulnerability has-tooltip')
+    end
 
-      it 'includes a data-project attribute' do
-        link = doc.css('a').first
+    it 'includes a data-project attribute' do
+      link = doc.css('a').first
 
-        expect(link).to have_attribute('data-project')
-        expect(link.attr('data-project')).to eq(project.id.to_s)
-      end
+      expect(link).to have_attribute('data-project')
+      expect(link.attr('data-project')).to eq(project.id.to_s)
+    end
 
-      it 'includes a data-vulnerability attribute' do
-        link = doc.css('a').first
+    it 'includes a data-vulnerability attribute' do
+      link = doc.css('a').first
 
-        expect(link).to have_attribute('data-vulnerability')
-        expect(link.attr('data-vulnerability')).to eq(vulnerability.id.to_s)
-      end
+      expect(link).to have_attribute('data-vulnerability')
+      expect(link.attr('data-vulnerability')).to eq(vulnerability.id.to_s)
+    end
 
-      it 'includes a data-original attribute' do
-        link = doc.css('a').first
+    it 'includes a data-original attribute' do
+      link = doc.css('a').first
 
-        expect(link).to have_attribute('data-original')
-        expect(link.attr('data-original')).to eq(CGI.escapeHTML(reference))
-      end
+      expect(link).to have_attribute('data-original')
+      expect(link.attr('data-original')).to eq(CGI.escapeHTML(reference))
+    end
 
-      it 'ignores invalid vulnerability IDs' do
-        text = "Check [vulnerability:#{non_existing_record_id}]"
+    it 'ignores invalid vulnerability IDs' do
+      text = "Check [vulnerability:#{non_existing_record_id}]"
 
-        expect(doc(text).to_s).to eq(ERB::Util.html_escape_once(text))
-      end
+      expect(doc(text).to_s).to eq(ERB::Util.html_escape_once(text))
+    end
 
-      it 'ignores out of range vulnerability IDs' do
-        text = "Check &1161452270761535925900804973910297"
+    it 'ignores out of range vulnerability IDs' do
+      text = "Check &1161452270761535925900804973910297"
 
-        expect(doc(text).to_s).to eq(ERB::Util.html_escape_once(text))
-      end
+      expect(doc(text).to_s).to eq(ERB::Util.html_escape_once(text))
+    end
 
-      it 'does not process links containing vulnerability numbers followed by text' do
-        href = "#{reference}st"
-        link = doc("<a href='#{href}'></a>").css('a').first.attr('href')
+    it 'does not process links containing vulnerability numbers followed by text' do
+      href = "#{reference}st"
+      link = doc("<a href='#{href}'></a>").css('a').first.attr('href')
 
-        expect(link).to eq(href)
-      end
+      expect(link).to eq(href)
     end
+  end
 
-    context 'cross-reference' do
-      before do
-        vulnerability.update_column(:project_id, another_project.id)
-      end
+  context 'cross-reference' do
+    before do
+      vulnerability.update_column(:project_id, another_project.id)
+    end
 
-      it 'ignores a shorthand reference from another group' do
-        text = "Check [vulnerability:#{vulnerability.id}]"
+    it 'ignores a shorthand reference from another group' do
+      text = "Check [vulnerability:#{vulnerability.id}]"
 
-        expect(doc(text).to_s).to eq(ERB::Util.html_escape_once(text))
-      end
+      expect(doc(text).to_s).to eq(ERB::Util.html_escape_once(text))
+    end
 
-      it 'links to a valid reference for full reference' do
-        expect(doc(full_ref_text).css('a').first.attr('href')).to eq(urls.project_security_vulnerability_url(another_project, vulnerability))
-      end
+    it 'links to a valid reference for full reference' do
+      expect(doc(full_ref_text).css('a').first.attr('href')).to eq(urls.project_security_vulnerability_url(another_project, vulnerability))
+    end
 
-      it 'link has valid text' do
-        expect(doc(full_ref_text).css('a').first.text).to eq("[vulnerability:#{vulnerability.project.full_path}/#{vulnerability.id}]")
-      end
+    it 'link has valid text' do
+      expect(doc(full_ref_text).css('a').first.text).to eq("[vulnerability:#{vulnerability.project.full_path}/#{vulnerability.id}]")
+    end
 
-      it 'includes default classes' do
-        expect(doc(full_ref_text).css('a').first.attr('class')).to eq('gfm gfm-vulnerability has-tooltip')
-      end
+    it 'includes default classes' do
+      expect(doc(full_ref_text).css('a').first.attr('class')).to eq('gfm gfm-vulnerability has-tooltip')
     end
+  end
 
-    context 'escaped cross-reference' do
-      before do
-        vulnerability.update_column(:project_id, another_project.id)
-      end
+  context 'escaped cross-reference' do
+    before do
+      vulnerability.update_column(:project_id, another_project.id)
+    end
 
-      it 'ignores a shorthand reference from another group' do
-        text = "Check [vulnerability:#{vulnerability.id}]"
+    it 'ignores a shorthand reference from another group' do
+      text = "Check [vulnerability:#{vulnerability.id}]"
 
-        expect(doc(text).to_s).to eq(ERB::Util.html_escape_once(text))
-      end
+      expect(doc(text).to_s).to eq(ERB::Util.html_escape_once(text))
+    end
 
-      it 'links to a valid reference for full reference' do
-        expect(doc(full_ref_text).css('a').first.attr('href')).to eq(urls.project_security_vulnerability_url(another_project, vulnerability))
-      end
+    it 'links to a valid reference for full reference' do
+      expect(doc(full_ref_text).css('a').first.attr('href')).to eq(urls.project_security_vulnerability_url(another_project, vulnerability))
+    end
 
-      it 'link has valid text' do
-        expect(doc(full_ref_text).css('a').first.text).to eq("[vulnerability:#{vulnerability.project.full_path}/#{vulnerability.id}]")
-      end
+    it 'link has valid text' do
+      expect(doc(full_ref_text).css('a').first.text).to eq("[vulnerability:#{vulnerability.project.full_path}/#{vulnerability.id}]")
+    end
 
-      it 'includes default classes' do
-        expect(doc(full_ref_text).css('a').first.attr('class')).to eq('gfm gfm-vulnerability has-tooltip')
-      end
+    it 'includes default classes' do
+      expect(doc(full_ref_text).css('a').first.attr('class')).to eq('gfm gfm-vulnerability has-tooltip')
     end
+  end
 
-    context 'url reference' do
-      let(:link) { urls.project_security_vulnerability_url(vulnerability.project, vulnerability) }
-      let(:text) { "Check #{link}" }
-      let(:project) { create(:project) }
+  context 'url reference' do
+    let(:link) { urls.project_security_vulnerability_url(vulnerability.project, vulnerability) }
+    let(:text) { "Check #{link}" }
+    let(:project) { create(:project) }
 
-      before do
-        vulnerability.update_column(:project_id, another_project.id)
-      end
+    before do
+      vulnerability.update_column(:project_id, another_project.id)
+    end
 
-      it 'links to a valid reference' do
-        expect(doc(text).css('a').first.attr('href')).to eq(urls.project_security_vulnerability_url(another_project, vulnerability))
-      end
+    it 'links to a valid reference' do
+      expect(doc(text).css('a').first.attr('href')).to eq(urls.project_security_vulnerability_url(another_project, vulnerability))
+    end
 
-      it 'link has valid text' do
-        expect(doc(text).css('a').first.text).to eq(vulnerability.to_reference(project))
-      end
+    it 'link has valid text' do
+      expect(doc(text).css('a').first.text).to eq(vulnerability.to_reference(project))
+    end
 
-      it 'includes default classes' do
-        expect(doc(text).css('a').first.attr('class')).to eq('gfm gfm-vulnerability has-tooltip')
-      end
+    it 'includes default classes' do
+      expect(doc(text).css('a').first.attr('class')).to eq('gfm gfm-vulnerability has-tooltip')
+    end
 
-      it 'matches link reference with trailing slash' do
-        doc2 = reference_filter("Fixed (#{link}/.)")
+    it 'matches link reference with trailing slash' do
+      doc2 = reference_filter("Fixed (#{link}/.)")
 
-        expect(doc2).to match(%r{\(#{Regexp.escape(vulnerability.to_reference(project))}\.\)})
-      end
+      expect(doc2).to match(%r{\(#{Regexp.escape(vulnerability.to_reference(project))}\.\)})
     end
+  end
 
-    context 'url in a link href' do
-      let(:link) { urls.project_security_vulnerability_url(vulnerability.project, vulnerability) }
-      let(:text) do
-        ref = %{<a href="#{link}">Reference</a>}
-        "Check #{ref}"
-      end
+  context 'url in a link href' do
+    let(:link) { urls.project_security_vulnerability_url(vulnerability.project, vulnerability) }
+    let(:text) do
+      ref = %{<a href="#{link}">Reference</a>}
+      "Check #{ref}"
+    end
 
-      before do
-        vulnerability.update_column(:project_id, another_project.id)
-      end
+    before do
+      vulnerability.update_column(:project_id, another_project.id)
+    end
 
-      it 'links to a valid reference for link href' do
-        expect(doc(text).css('a').first.attr('href')).to eq(urls.project_security_vulnerability_url(another_project, vulnerability))
-      end
+    it 'links to a valid reference for link href' do
+      expect(doc(text).css('a').first.attr('href')).to eq(urls.project_security_vulnerability_url(another_project, vulnerability))
+    end
 
-      it 'link has valid text' do
-        expect(doc(text).css('a').first.text).to eq('Reference')
-      end
+    it 'link has valid text' do
+      expect(doc(text).css('a').first.text).to eq('Reference')
+    end
 
-      it 'includes default classes' do
-        expect(doc(text).css('a').first.attr('class')).to eq('gfm gfm-vulnerability has-tooltip')
-      end
+    it 'includes default classes' do
+      expect(doc(text).css('a').first.attr('class')).to eq('gfm gfm-vulnerability has-tooltip')
     end
   end
 end