Merge branch '33488-remove-first-class-vulnerabilities-feature-flag' into 'master'

Remove first class vulnerabilities feature flag See merge request gitlab-org/gitlab!28212

Merge branch '33488-remove-first-class-vulnerabilities-feature-flag' into 'master'
Remove first class vulnerabilities feature flag See merge request gitlab-org/gitlab!28212
f246b39e · Dylan Griffith · 6155d96a · 79c3b03a · f246b39e · f246b39e
Commit f246b39e authored Jun 16, 2020 by Dylan Griffith
24 changed files
--- a/doc/api/project_vulnerabilities.md
+++ b/doc/api/project_vulnerabilities.md
@@ -2,14 +2,6 @@
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10242) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.
-CAUTION: **Caution:**
-This API is currently in development and is protected by a **disabled**
-[feature flag](../development/feature_flags/index.md).
-On a self-managed GitLab instance, an administrator can enable it by starting the Rails console
-(`sudo gitlab-rails console`) and then running the following command: `Feature.enable(:first_class_vulnerabilities)`.
-To test if the Vulnerabilities API was successfully enabled, run the following command:
-`Feature.enabled?(:first_class_vulnerabilities)`.
 CAUTION: **Caution:**
 This API is in an alpha stage and considered unstable.
 The response payload may be subject to change or breakage

--- a/doc/api/vulnerabilities.md
+++ b/doc/api/vulnerabilities.md
@@ -8,14 +8,6 @@ and its documentation was moved to [a different location](vulnerability_findings
 This document now describes the new Vulnerabilities API that provides access to
 [Standalone Vulnerabilities](https://gitlab.com/groups/gitlab-org/-/epics/634).
-CAUTION: **Caution:**
-This API is currently in development and is protected by a **disabled**
-[feature flag](../development/feature_flags/index.md).
-On a self-managed GitLab instance, an administrator can enable it by starting the Rails console
-(`sudo gitlab-rails console`) and then running the following command: `Feature.enable(:first_class_vulnerabilities)`.
-To test if the Vulnerabilities API was successfully enabled, run the following command:
-`Feature.enabled?(:first_class_vulnerabilities)`.
 CAUTION: **Caution:**
 This API is in an alpha stage and considered unstable.
 The response payload may be subject to change or breakage

--- a/doc/api/vulnerability_exports.md
+++ b/doc/api/vulnerability_exports.md
@@ -2,14 +2,6 @@
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/197494) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.10. [Updated](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/30397) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.0.
-CAUTION: **Caution:**
-This API is currently in development and is protected by a **disabled**
-[feature flag](../development/feature_flags/index.md).
-On a self-managed GitLab instance, an administrator can enable it by starting the Rails console
-(`sudo gitlab-rails console`) and then running the following command: `Feature.enable(:first_class_vulnerabilities)`.
-To test if the Vulnerability Exports API was successfully enabled, run the following command:
-`Feature.enabled?(:first_class_vulnerabilities)`.
 CAUTION: **Caution:**
 This API is in an alpha stage and considered unstable.
 The response payload may be subject to change or breakage

--- a/ee/app/assets/javascripts/pages/groups/security/dashboard/show/index.js
+++ b/ee/app/assets/javascripts/pages/groups/security/dashboard/show/index.js
-import initGroupSecurityDashboard from 'ee/security_dashboard/group_init';
 import initFirstClassSecurityDashboard from 'ee/security_dashboard/first_class_init';
 import { DASHBOARD_TYPES } from 'ee/security_dashboard/store/constants';
 document.addEventListener('DOMContentLoaded', () => {
-  if (gon.features?.firstClassVulnerabilities) {
+  initFirstClassSecurityDashboard(
-    initFirstClassSecurityDashboard(
+    document.getElementById('js-group-security-dashboard'),
-      document.getElementById('js-group-security-dashboard'),
+    DASHBOARD_TYPES.GROUP,
-      DASHBOARD_TYPES.GROUP,
+  );
-    );
-  } else {
-    initGroupSecurityDashboard();
-  }
 });
--- a/ee/app/assets/javascripts/pages/projects/security/dashboard/index/index.js
+++ b/ee/app/assets/javascripts/pages/projects/security/dashboard/index/index.js
-import initProjectSecurityDashboard from 'ee/security_dashboard/project_init';
 import initFirstClassSecurityDashboard from 'ee/security_dashboard/first_class_init';
 import { DASHBOARD_TYPES } from 'ee/security_dashboard/store/constants';
 document.addEventListener('DOMContentLoaded', () => {
-  if (gon.features?.firstClassVulnerabilities) {
+  initFirstClassSecurityDashboard(
-    initFirstClassSecurityDashboard(
+    document.getElementById('js-security-report-app'),
-      document.getElementById('js-security-report-app'),
+    DASHBOARD_TYPES.PROJECT,
-      DASHBOARD_TYPES.PROJECT,
+  );
-    );
-  } else {
-    initProjectSecurityDashboard();
-  }
 });
--- a/ee/app/assets/javascripts/pages/security/dashboard/show/index.js
+++ b/ee/app/assets/javascripts/pages/security/dashboard/show/index.js
-import initInstanceSecurityDashboard from 'ee/security_dashboard/instance_init';
 import initFirstClassSecurityDashboard from 'ee/security_dashboard/first_class_init';
 import { DASHBOARD_TYPES } from 'ee/security_dashboard/store/constants';
 document.addEventListener('DOMContentLoaded', () => {
-  if (gon.features?.firstClassVulnerabilities) {
+  initFirstClassSecurityDashboard(document.getElementById('js-security'), DASHBOARD_TYPES.INSTANCE);
-    initFirstClassSecurityDashboard(
-      document.getElementById('js-security'),
-      DASHBOARD_TYPES.INSTANCE,
-    );
-  } else if (gon.features?.instanceSecurityDashboard) {
-    initInstanceSecurityDashboard();
-  }
 });
--- a/ee/app/controllers/groups/security/dashboard_controller.rb
+++ b/ee/app/controllers/groups/security/dashboard_controller.rb
@@ -2,10 +2,6 @@
 class Groups::Security::DashboardController < Groups::ApplicationController
  layout 'group'
-  before_action only: [:show] do
-    push_frontend_feature_flag(:first_class_vulnerabilities, group, default_enabled: true)
-  end
  def show
    render :unavailable unless dashboard_available?
  end

--- a/ee/app/controllers/projects/security/dashboard_controller.rb
+++ b/ee/app/controllers/projects/security/dashboard_controller.rb
@@ -9,7 +9,6 @@ module Projects
      before_action only: [:index] do
        push_frontend_feature_flag(:hide_dismissed_vulnerabilities)
-        push_frontend_feature_flag(:first_class_vulnerabilities, @project, default_enabled: true)
      end
      def index

--- a/ee/app/controllers/projects/security/vulnerabilities/notes_controller.rb
+++ b/ee/app/controllers/projects/security/vulnerabilities/notes_controller.rb
@@ -11,7 +11,6 @@ module Projects
        include NotesHelper
        include ToggleAwardEmoji
-        before_action :not_found, unless: -> { project.first_class_vulnerabilities_enabled? }
        before_action :authorize_create_note!, only: [:create]
        private

--- a/ee/app/controllers/projects/security/vulnerabilities_controller.rb
+++ b/ee/app/controllers/projects/security/vulnerabilities_controller.rb
@@ -7,8 +7,7 @@ module Projects
      include IssuableActions
      include RendersNotes
-      before_action :not_found, unless: -> { project.first_class_vulnerabilities_enabled? }
+      before_action :vulnerability, except: :index
-      before_action :vulnerability
      alias_method :vulnerable, :project

--- a/ee/app/controllers/security/dashboard_controller.rb
+++ b/ee/app/controllers/security/dashboard_controller.rb
@@ -2,8 +2,5 @@
 module Security
  class DashboardController < ::Security::ApplicationController
-    before_action only: [:show] do
-      push_frontend_feature_flag(:first_class_vulnerabilities, default_enabled: true)
-    end
  end
 end
--- a/ee/app/helpers/ee/projects_helper.rb
+++ b/ee/app/helpers/ee/projects_helper.rb
@@ -130,10 +130,6 @@ module EE
      ::License.feature_available?(:ci_cd_projects) && import_sources_enabled?
    end
-    def first_class_vulnerabilities_available?(project)
-      ::Feature.enabled?(:first_class_vulnerabilities, project, default_enabled: true)
-    end
    def merge_pipelines_available?
      return false unless @project.builds_enabled?
@@ -190,6 +186,7 @@ module EE
          project_full_path: project.full_path,
          vulnerabilities_endpoint: project_security_vulnerability_findings_path(project),
          vulnerabilities_summary_endpoint: summary_project_security_vulnerability_findings_path(project),
+          vulnerabilities_export_endpoint: api_v4_security_projects_vulnerability_exports_path(id: project.id),
          vulnerability_feedback_help_path: help_page_path("user/application_security/index", anchor: "interacting-with-the-vulnerabilities"),
          empty_state_svg_path: image_path('illustrations/security-dashboard-empty-state.svg'),
          dashboard_documentation: help_page_path('user/application_security/security_dashboard/index'),
@@ -225,8 +222,6 @@ module EE
    end
    def project_vulnerabilities_config(project)
-      return {} unless first_class_vulnerabilities_available?(project)
      { vulnerabilities_export_endpoint: api_v4_security_projects_vulnerability_exports_path(id: project.id) }
    end

--- a/ee/app/models/ee/project.rb
+++ b/ee/app/models/ee/project.rb
@@ -303,10 +303,6 @@ module EE
      ::Feature.enabled?(:repository_push_audit_event, self)
    end
-    def first_class_vulnerabilities_enabled?
-      ::Feature.enabled?(:first_class_vulnerabilities, self, default_enabled: true)
-    end
    def feature_available?(feature, user = nil)
      if ::ProjectFeature::FEATURES.include?(feature)
        super

--- a/ee/app/models/vulnerabilities/occurrence.rb
+++ b/ee/app/models/vulnerabilities/occurrence.rb
@@ -139,7 +139,6 @@ module Vulnerabilities
    def state
      return 'dismissed' if dismissal_feedback.present?
-      return 'detected' unless Feature.enabled?(:first_class_vulnerabilities, project, default_enabled: true)
      if vulnerability.nil?
        'detected'

--- a/ee/changelogs/unreleased/33488-remove-first-class-vulnerabilities-feature-flag.yml
+++ b/ee/changelogs/unreleased/33488-remove-first-class-vulnerabilities-feature-flag.yml
+---
+title: Improve Vulnerability Management with Standalone Vulnerabilities
+merge_request: 28212
+author:
+type: added
--- a/ee/lib/api/vulnerabilities.rb
+++ b/ee/lib/api/vulnerabilities.rb
@@ -34,8 +34,6 @@ module API
      end
      get ':id' do
        vulnerability = find_and_authorize_vulnerability!(:read_vulnerability)
-        not_found! unless Feature.enabled?(:first_class_vulnerabilities, vulnerability.project, default_enabled: true)
        render_vulnerability(vulnerability)
      end
@@ -44,8 +42,6 @@ module API
      end
      post ':id/resolve' do
        vulnerability = find_and_authorize_vulnerability!(:admin_vulnerability)
-        not_found! unless Feature.enabled?(:first_class_vulnerabilities, vulnerability.project, default_enabled: true)
        not_modified! if vulnerability.resolved?
        vulnerability = ::Vulnerabilities::ResolveService.new(current_user, vulnerability).execute
@@ -57,8 +53,6 @@ module API
      end
      post ':id/dismiss' do
        vulnerability = find_and_authorize_vulnerability!(:admin_vulnerability)
-        not_found! unless Feature.enabled?(:first_class_vulnerabilities, vulnerability.project, default_enabled: true)
        not_modified! if vulnerability.dismissed?
        vulnerability = ::Vulnerabilities::DismissService.new(current_user, vulnerability).execute
@@ -70,8 +64,6 @@ module API
      end
      post ':id/confirm' do
        vulnerability = find_and_authorize_vulnerability!(:admin_vulnerability)
-        not_found! unless Feature.enabled?(:first_class_vulnerabilities, vulnerability.project, default_enabled: true)
        not_modified! if vulnerability.confirmed?
        vulnerability = ::Vulnerabilities::ConfirmService.new(current_user, vulnerability).execute
@@ -86,9 +78,6 @@ module API
      desc 'Get a list of project vulnerabilities' do
        success EE::API::Entities::Vulnerability
      end
-      before do
-        not_found! unless Feature.enabled?(:first_class_vulnerabilities, user_project, default_enabled: true)
-      end
      params do
        use :pagination
      end

--- a/ee/lib/api/vulnerability_exports.rb
+++ b/ee/lib/api/vulnerability_exports.rb
@@ -42,10 +42,6 @@ module API
          success EE::API::Entities::VulnerabilityExport
        end
-        before do
-          not_found! unless Feature.enabled?(:first_class_vulnerabilities, user_project, default_enabled: true)
-        end
        post ':id/vulnerability_exports' do
          authorize! :create_vulnerability_export, user_project
@@ -64,10 +60,6 @@ module API
          success EE::API::Entities::VulnerabilityExport
        end
-        before do
-          not_found! unless Feature.enabled?(:first_class_vulnerabilities, user_group, default_enabled: true)
-        end
        post ':id/vulnerability_exports' do
          authorize! :create_vulnerability_export, user_group
@@ -76,10 +68,6 @@ module API
      end
      namespace do
-        before do
-          not_found! unless Feature.enabled?(:first_class_vulnerabilities, default_enabled: true)
-        end
        params do
          optional :export_format, type: String, desc: 'The format of export to be generated',
                   default: ::Vulnerabilities::Export.formats.each_key.first,

--- a/ee/lib/api/vulnerability_issue_links.rb
+++ b/ee/lib/api/vulnerability_issue_links.rb
@@ -33,8 +33,6 @@ module API
      end
      get ':id/issue_links' do
        vulnerability = find_and_authorize_vulnerability!(:read_vulnerability)
-        not_found! unless Feature.enabled?(:first_class_vulnerabilities, vulnerability.project, default_enabled: true)
        present vulnerability
                  .related_issues
                  .with_api_entity_associations
@@ -51,8 +49,6 @@ module API
      end
      post ':id/issue_links' do
        vulnerability = find_and_authorize_vulnerability!(:admin_vulnerability_issue_link)
-        not_found! unless Feature.enabled?(:first_class_vulnerabilities, vulnerability.project, default_enabled: true)
        issue = find_project_issue(params[:target_issue_iid], vulnerability.project_id)
        response = ::VulnerabilityIssueLinks::CreateService.new(
@@ -68,9 +64,7 @@ module API
        requires :issue_link_id, type: Integer, desc: 'The ID of a vulnerability-issue-link to delete'
      end
      delete ':id/issue_links/:issue_link_id' do
-        vulnerability = find_and_authorize_vulnerability!(:admin_vulnerability_issue_link)
+        find_and_authorize_vulnerability!(:admin_vulnerability_issue_link)
-        not_found! unless Feature.enabled?(:first_class_vulnerabilities, vulnerability.project, default_enabled: true)
        issue_link = find_issue_link!
        service_response = ::VulnerabilityIssueLinks::DeleteService.new(current_user, issue_link).execute

--- a/ee/spec/controllers/projects/security/vulnerabilities/notes_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/vulnerabilities/notes_controller_spec.rb
@@ -40,18 +40,6 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
      expect(json_response['notes']).to be_an Array
      expect(json_response['notes'].pluck('id')).to eq([note.id.to_s])
    end
-    context 'when the feature flag is disabled' do
-      before do
-        stub_feature_flags(first_class_vulnerabilities: false)
-      end
-      it 'renders the 404 page' do
-        view_all_notes
-        expect(response).to have_gitlab_http_status(:not_found)
-      end
-    end
  end
  describe 'POST create' do

--- a/ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb
@@ -52,18 +52,6 @@ RSpec.describe Projects::Security::VulnerabilitiesController do
        expect(response.body).to have_text(vulnerability.title)
      end
    end
-    context 'when the feature flag is disabled' do
-      before do
-        stub_feature_flags(first_class_vulnerabilities: false)
-      end
-      it 'renders the 404 page' do
-        show_vulnerability
-        expect(response).to have_gitlab_http_status(:not_found)
-      end
-    end
  end
  describe 'GET #discussions' do
@@ -85,17 +73,5 @@ RSpec.describe Projects::Security::VulnerabilitiesController do
      expect(json_response.pluck('id')).to eq([discussion_note.discussion_id])
    end
-    context 'when the feature flag is disabled' do
-      before do
-        stub_feature_flags(first_class_vulnerabilities: false)
-      end
-      it 'renders the 404 page' do
-        show_vulnerability_discussion_list
-        expect(response).to have_gitlab_http_status(:not_found)
-      end
-    end
  end
 end
--- a/ee/spec/features/groups/group_overview_spec.rb
+++ b/ee/spec/features/groups/group_overview_spec.rb
@@ -10,7 +10,6 @@ RSpec.describe 'Group overview', :js, :aggregate_failures do
  subject(:visit_page) { visit group_path(group) }
  before do
-    stub_feature_flags(first_class_vulnerabilities: false)
    group.add_owner(user)
    sign_in(user)
  end
@@ -35,51 +34,6 @@ RSpec.describe 'Group overview', :js, :aggregate_failures do
    let(:user) { create(:user, group_view: :security_dashboard) }
-    context 'and Security Dashboard feature is available for a group' do
-      let(:group) { create(:group_with_plan, plan: :gold_plan) }
-      let(:project) { create(:project, :public, namespace: group) }
-      before do
-        create(:vulnerability, :with_findings, project: project)
-      end
-      context 'when the "first_class_vulnerabilities" feature flag is not enabled' do
-        it 'displays the Security Dashboard view' do
-          visit_page
-          expect(page).to have_selector('.js-security-dashboard-table')
-          page.within(find('aside')) do
-            expect(page).to have_content _('Vulnerabilities over time')
-            expect(page).to have_selector('.js-vulnerabilities-chart-time-info')
-            expect(page).to have_selector('.js-vulnerabilities-chart-severity-level-breakdown')
-            expect(page).to have_content _('Project security status')
-            expect(page).to have_selector('.js-projects-security-status')
-          end
-          page.within(all('div.row')[1]) do
-            expect(page).not_to have_content s_('VulnerabilityStatusTypes|Detected')
-          end
-        end
-      end
-      context 'when the "first_class_vulnerabilities" feature flag is enabled' do
-        before do
-          stub_feature_flags(first_class_vulnerabilities: true)
-        end
-        it 'loads the first class group security dashboard' do
-          visit_page
-          page.within(all('div.row')[1]) do
-            expect(page).to have_content s_('VulnerabilityStatusTypes|Detected')
-            expect(page).to have_content s_('Vulnerability|Severity')
-          end
-        end
-      end
-    end
    context 'and Security Dashboard feature is not available for a group' do
      let(:group) { create(:group_with_plan, plan: :bronze_plan) }

--- a/ee/spec/helpers/projects_helper_spec.rb
+++ b/ee/spec/helpers/projects_helper_spec.rb
@@ -135,25 +135,6 @@ RSpec.describe ProjectsHelper do
      it { is_expected.to match(expected_core_values) }
-      context 'when the first_class_vulnerabilities available' do
-        let(:export_endpoint) { "/api/v4/security/projects/#{project.id}/vulnerability_exports" }
-        let(:expected_sub_hash) { hash_including(vulnerabilities_export_endpoint: export_endpoint) }
-        before do
-          allow(::Feature).to receive(:enabled?).with(:first_class_vulnerabilities, project, default_enabled: true).and_return(true)
-        end
-        it { is_expected.to match(expected_sub_hash) }
-      end
-      context 'when the first_class_vulnerabilities is not available' do
-        before do
-          allow(::Feature).to receive(:enabled?).with(:first_class_vulnerabilities, project, default_enabled: true).and_return(false)
-        end
-        it { is_expected.not_to have_key(:vulnerabilities_export_endpoint) }
-      end
      context 'project without pipeline' do
        let(:expected_sub_hash) do
          hash_including(
@@ -187,7 +168,8 @@ RSpec.describe ProjectsHelper do
            ref_path: "#{project_path}/-/commits/#{project.default_branch}",
            pipeline_path: "#{project_path}/-/pipelines/#{pipeline.id}",
            pipeline_created: pipeline.created_at.to_s(:iso8601),
-            has_pipeline_data: 'true'
+            has_pipeline_data: 'true',
+            vulnerabilities_export_endpoint: "/api/v4/security/projects/#{project.id}/vulnerability_exports"
          )
        end

--- a/ee/spec/helpers/security_helper_spec.rb
+++ b/ee/spec/helpers/security_helper_spec.rb
@@ -4,10 +4,6 @@ require 'spec_helper'
 RSpec.describe SecurityHelper do
  describe '#instance_security_dashboard_data' do
-    before do
-      stub_feature_flags(first_class_vulnerabilities: true)
-    end
    subject { instance_security_dashboard_data }
    it 'returns vulnerability, project, feedback, asset, and docs paths for the instance security dashboard' do

--- a/ee/spec/support/shared_examples/requests/api/vulnerabilities_shared_examples.rb
+++ b/ee/spec/support/shared_examples/requests/api/vulnerabilities_shared_examples.rb
 # frozen_string_literal: true
 RSpec.shared_examples 'forbids access to vulnerability API endpoint in case of disabled features' do
-  context 'when "first-class vulnerabilities" feature is disabled' do
-    before do
-      stub_feature_flags(first_class_vulnerabilities: false)
-    end
-    it 'responds with "not found"' do
-      subject
-      expect(response).to have_gitlab_http_status(:not_found)
-    end
-  end
  context 'when security dashboard feature is not available' do
    before do
      stub_licensed_features(security_dashboard: false)