Add MergeRequest to vulnerability

Add possibility to query for auto-fix MR from vulnerability

app/graphql/types/merge_request_type.rb

@@ -167,6 +167,8 @@ module Types
           description: 'Indicates if the merge request is mergeable'
     field :commits_without_merge_commits, Types::CommitType.connection_type, null: true,
           calls_gitaly: true, description: 'Merge request commits excluding merge commits'
+    field :security_auto_fix, GraphQL::BOOLEAN_TYPE, null: true,
+          description: 'Indicates if the merge request is created by @GitLab-Security-Bot.'
 
     def approved_by
       object.approved_by_users
@@ -229,6 +231,10 @@ module Types
     def commits_without_merge_commits
       object.recent_commits.without_merge_commits
     end
+
+    def security_auto_fix
+      object.author == User.security_bot
+    end
   end
 end
 

changelogs/unreleased/258810-2-itteration-be.yml

+---
+title: Add MergeRequest to VulnerabilityType in GraphQL
+merge_request: 50082
+author:
+type: added

doc/api/graphql/reference/gitlab_schema.graphql

@@ -13466,6 +13466,11 @@ type MergeRequest implements CurrentUserTodos & Noteable {
     full: Boolean = false
   ): String!
 
+  """
+  Indicates if the merge request is created by @GitLab-Security-Bot.
+  """
+  securityAutoFix: Boolean
+
   """
   Indicates if the merge request will be rebased
   """
@@ -25041,6 +25046,11 @@ type Vulnerability implements Noteable {
   """
   location: VulnerabilityLocation
 
+  """
+  Merge request that fixes the vulnerability.
+  """
+  mergeRequest: MergeRequest
+
   """
   All notes on this noteable
   """

doc/api/graphql/reference/gitlab_schema.json

@@ -37149,6 +37149,20 @@
               "isDeprecated": false,
               "deprecationReason": null
             },
+            {
+              "name": "securityAutoFix",
+              "description": "Indicates if the merge request is created by @GitLab-Security-Bot.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "Boolean",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
             {
               "name": "shouldBeRebased",
               "description": "Indicates if the merge request will be rebased",
@@ -72928,6 +72942,20 @@
               "isDeprecated": false,
               "deprecationReason": null
             },
+            {
+              "name": "mergeRequest",
+              "description": "Merge request that fixes the vulnerability.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "OBJECT",
+                "name": "MergeRequest",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
             {
               "name": "notes",
               "description": "All notes on this noteable",

doc/api/graphql/reference/index.md

@@ -2088,6 +2088,7 @@ Autogenerated return type of MarkAsSpamSnippet.
 | `rebaseCommitSha` | String | Rebase commit SHA of the merge request |
 | `rebaseInProgress` | Boolean! | Indicates if there is a rebase currently in progress for the merge request |
 | `reference` | String! | Internal reference of the merge request. Returned in shortened format by default |
+| `securityAutoFix` | Boolean | Indicates if the merge request is created by @GitLab-Security-Bot. |
 | `shouldBeRebased` | Boolean! | Indicates if the merge request will be rebased |
 | `shouldRemoveSourceBranch` | Boolean | Indicates if the source branch of the merge request will be deleted after merge |
 | `sourceBranch` | String! | Source branch of the merge request |
@@ -3772,6 +3773,7 @@ Represents a vulnerability.
 | `identifiers` | VulnerabilityIdentifier! => Array | Identifiers of the vulnerability. |
 | `issueLinks` | VulnerabilityIssueLinkConnection! | List of issue links related to the vulnerability |
 | `location` | VulnerabilityLocation | Location metadata for the vulnerability. Its fields depend on the type of security scan that found the vulnerability |
+| `mergeRequest` | MergeRequest | Merge request that fixes the vulnerability. |
 | `notes` | NoteConnection! | All notes on this noteable |
 | `primaryIdentifier` | VulnerabilityIdentifier | Primary identifier of the vulnerability. |
 | `project` | Project | The project on which the vulnerability was found |

ee/app/graphql/types/vulnerability_type.rb

@@ -78,6 +78,9 @@ module Types
           description: 'Indicates whether there is a solution available for this vulnerability.',
           resolver_method: :has_solutions?
 
+    field :merge_request, ::Types::MergeRequestType, null: true,
+          description: 'Merge request that fixes the vulnerability.'
+
     def user_notes_count
       ::Gitlab::Graphql::Aggregations::Vulnerabilities::LazyUserNotesCountAggregate.new(context, object)
     end
@@ -106,6 +109,10 @@ module Types
       Gitlab::Graphql::Loaders::BatchModelLoader.new(Project, object.project_id).find
     end
 
+    def merge_request
+      object.finding&.merge_request_feedback&.merge_request
+    end
+
     def has_solutions?
       object.finding&.remediations&.any?
     end

ee/spec/graphql/types/vulnerability_type_spec.rb

@@ -30,6 +30,7 @@ RSpec.describe GitlabSchema.types['Vulnerability'] do
        notes
        external_issue_links
        has_solutions
+       merge_request
        discussions]
   end
 

spec/graphql/types/merge_request_type_spec.rb

@@ -29,7 +29,7 @@ RSpec.describe GitlabSchema.types['MergeRequest'] do
       total_time_spent reference author merged_at commit_count current_user_todos
       conflicts auto_merge_enabled approved_by source_branch_protected
       default_merge_commit_message_with_description squash_on_merge available_auto_merge_strategies
-      has_ci mergeable commits_without_merge_commits
+      has_ci mergeable commits_without_merge_commits security_auto_fix
     ]
 
     if Gitlab.ee?