From 55936bd94f5ee0659dbd82aaf30faa1e285ba5a3 Mon Sep 17 00:00:00 2001
From: Dave Pisek <dpisek@gitlab.com>
Date: Mon, 11 Nov 2024 10:41:24 +0100
Subject: [PATCH 1/4] AI-Resolution: Add public project warning

This merge request updates the vulnerability
header and actions dropdown components.

The header component now displays a warning when
the vulnerability belongs to a public project
and the AI resolution is enabled.

This is because creating a merge request from
a public project will publicly expose
the vulnerability and the offered resolution.

Changelog: changed
EE: true
---
 .../vulnerabilities/components/header.vue     |   1 +
 .../vulnerability_actions_dropdown.vue        | 150 +++++++++++-------
 ee/app/helpers/vulnerabilities_helper.rb      |   1 +
 .../frontend/vulnerabilities/header_spec.js   |  17 ++
 .../vulnerability_actions_dropdown_spec.js    |  17 ++
 .../helpers/vulnerabilities_helper_spec.rb    |   3 +-
 locale/gitlab.pot                             |   3 +
 7 files changed, 138 insertions(+), 54 deletions(-)

diff --git a/ee/app/assets/javascripts/vulnerabilities/components/header.vue b/ee/app/assets/javascripts/vulnerabilities/components/header.vue
index bb5a798acde048..43aa33c5de7122 100644
--- a/ee/app/assets/javascripts/vulnerabilities/components/header.vue
+++ b/ee/app/assets/javascripts/vulnerabilities/components/header.vue
@@ -338,6 +338,7 @@ export default {
           :show-resolve-with-ai="canResolveWithAi"
           :show-explain-with-ai="canExplainWithAi"
           :ai-resolution-enabled="vulnerability.aiResolutionEnabled"
+          :show-public-project-warning="vulnerability.belongsToPublicProject"
           @create-merge-request="createMergeRequest"
           @download-patch="downloadPatch"
           @explain-vulnerability="explainVulnerability"
diff --git a/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue b/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue
index 9e78481f7c492d..cc826bc72b0f78 100644
--- a/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue
+++ b/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue
@@ -3,6 +3,7 @@ import {
   GlButton,
   GlDisclosureDropdown,
   GlDisclosureDropdownItem,
+  GlSprintf,
   GlLink,
   GlIcon,
 } from '@gitlab/ui';
@@ -31,6 +32,12 @@ const RESOLVE_VULNERABILITY_ACTION = {
   disabledStateDescription: s__(
     'AI|GitLab Duo is unable to suggest a fix for this type of vulnerability.',
   ),
+  publicProjectWarning: {
+    text: s__(
+      'AI|Creating an MR from a public project will publicly expose the vulnerability and offered resolution. To create the MR privately, see %{linkStart} Resolving a vulnerability privately%{linkEnd}.',
+    ),
+    confidentialMRDocsPat: helpPagePath('/user/project/merge_requests/confidential'),
+  },
 };
 
 const CREATE_MERGE_REQUEST_ACTION = {
@@ -46,7 +53,14 @@ const DOWNLOAD_PATCH_ACTION = {
 };
 
 export default {
-  components: { GlButton, GlDisclosureDropdown, GlDisclosureDropdownItem, GlLink, GlIcon },
+  components: {
+    GlButton,
+    GlDisclosureDropdown,
+    GlDisclosureDropdownItem,
+    GlSprintf,
+    GlLink,
+    GlIcon,
+  },
   props: {
     loading: {
       type: Boolean,
@@ -78,6 +92,11 @@ export default {
       required: false,
       default: false,
     },
+    showPublicProjectWarning: {
+      type: Boolean,
+      required: false,
+      default: false,
+    },
   },
   computed: {
     onlyAiActionsAvailable() {
@@ -104,10 +123,6 @@ export default {
         availableActions.push(DOWNLOAD_PATCH_ACTION);
       }
 
-      if (this.showExplainWithAi) {
-        availableActions.push(EXPLAIN_VULNERABILITY_ACTION);
-      }
-
       if (this.showResolveWithAi) {
         availableActions.push({
           ...RESOLVE_VULNERABILITY_ACTION,
@@ -116,9 +131,17 @@ export default {
             extraAttrs: { disabled: true },
             description: RESOLVE_VULNERABILITY_ACTION.disabledStateDescription,
           }),
+          ...(this.aiResolutionEnabled &&
+            this.showPublicProjectWarning && {
+              showPublicProjectWarning: true,
+            }),
         });
       }
 
+      if (this.showExplainWithAi) {
+        availableActions.push(EXPLAIN_VULNERABILITY_ACTION);
+      }
+
       return availableActions;
     },
   },
@@ -153,56 +176,77 @@ export default {
       placement="bottom-end"
       class="gl-leading-20"
     >
-      <gl-disclosure-dropdown-item
-        v-for="action in availableActions"
-        :key="action.name"
-        :item="action"
-        :class="{
-          '!gl-bg-gray-10': action.disabled,
-        }"
-        :data-testid="`${action.name}-action-dropdown-item`"
-        @action="emitActionName"
-      >
-        <template #list-item>
-          <span
-            class="gl-flex gl-flex-col"
-            :class="{
-              'gl-cursor-not-allowed': action.disabled,
-            }"
-            :data-testid="`${action.name}-action-item`"
-          >
-            <span class="gl-mb-1 gl-flex">
-              <gl-icon
-                v-if="!dropdownIcon && action.itemIcon"
-                :name="action.itemIcon"
-                class="gl-mr-2"
-                :data-testid="`vulnerability-action-icon-${action.name}`"
-              />
-              <span
-                :data-testid="`${action.name}-action-title`"
-                class="gl-whitespace-nowrap gl-font-bold"
-                :class="{ 'gl-text-gray-300': action.disabled }"
-                >{{ action.text }}</span
-              >
+      <div v-for="action in availableActions" :key="action.name">
+        <gl-disclosure-dropdown-item
+          :item="action"
+          :class="{
+            '!gl-bg-gray-10': action.disabled,
+          }"
+          :data-testid="`${action.name}-action-dropdown-item`"
+          @action="emitActionName"
+        >
+          <template #list-item>
+            <span
+              class="gl-flex gl-flex-col"
+              :class="{
+                'gl-cursor-not-allowed': action.disabled,
+              }"
+              :data-testid="`${action.name}-action-item`"
+            >
+              <span class="gl-mb-1 gl-flex">
+                <gl-icon
+                  v-if="!dropdownIcon && action.itemIcon"
+                  :name="action.itemIcon"
+                  class="gl-mr-2"
+                  :data-testid="`vulnerability-action-icon-${action.name}`"
+                />
+                <span
+                  :data-testid="`${action.name}-action-title`"
+                  class="gl-whitespace-nowrap gl-font-bold"
+                  :class="{ 'gl-text-gray-300': action.disabled }"
+                  >{{ action.text }}</span
+                >
+              </span>
+              <p class="gl-m-0 gl-p-0">
+                <span
+                  :class="{ 'gl-text-gray-300': action.disabled }"
+                  :data-testid="`${action.name}-action-description`"
+                  >{{ action.description }}</span
+                >
+                <gl-link
+                  v-if="action.disabled && action.disabledStateLink"
+                  :href="action.disabledStateLink"
+                  target="_blank"
+                  class="!gl-text-link"
+                  :data-testid="`${action.name}-action-docs-link`"
+                  >{{ __('Learn more') }}</gl-link
+                >
+              </p>
             </span>
-            <p class="gl-m-0 gl-p-0">
-              <span
-                :class="{ 'gl-text-gray-300': action.disabled }"
-                :data-testid="`${action.name}-action-description`"
-                >{{ action.description }}</span
-              >
-              <gl-link
-                v-if="action.disabled && action.disabledStateLink"
-                :href="action.disabledStateLink"
-                target="_blank"
-                class="!gl-text-link"
-                :data-testid="`${action.name}-action-docs-link`"
-                >{{ __('Learn more') }}</gl-link
-              >
-            </p>
+          </template>
+        </gl-disclosure-dropdown-item>
+        <div
+          v-if="action.showPublicProjectWarning"
+          class="gl-mb-1 gl-flex gl-bg-orange-50 gl-p-4"
+          data-testid="public-project-warning"
+        >
+          <span>
+            <gl-icon name="warning" class="gl-mr-3 gl-shrink-0 gl-text-orange-500" />
           </span>
-        </template>
-      </gl-disclosure-dropdown-item>
+          <p class="gl-my-0">
+            <gl-sprintf :message="action.publicProjectWarning.text">
+              <template #link="{ content }">
+                <gl-link
+                  :href="action.publicProjectWarning.confidentialMRDocsPat"
+                  target="_blank"
+                  class="!gl-text-link"
+                  >{{ content }}</gl-link
+                >
+              </template>
+            </gl-sprintf>
+          </p>
+        </div>
+      </div>
     </gl-disclosure-dropdown>
   </div>
 </template>
diff --git a/ee/app/helpers/vulnerabilities_helper.rb b/ee/app/helpers/vulnerabilities_helper.rb
index 804236323b2c29..384553fc96f4c7 100644
--- a/ee/app/helpers/vulnerabilities_helper.rb
+++ b/ee/app/helpers/vulnerabilities_helper.rb
@@ -94,6 +94,7 @@ def vulnerability_finding_data(vulnerability)
     data[:ai_explanation_available] = vulnerability.finding.ai_explanation_available?
     data[:ai_resolution_available] = vulnerability.finding.ai_resolution_available?
     data[:ai_resolution_enabled] = vulnerability.finding.ai_resolution_enabled?
+    data[:belongs_to_public_project] = vulnerability.project.public?
     data
   end
 
diff --git a/ee/spec/frontend/vulnerabilities/header_spec.js b/ee/spec/frontend/vulnerabilities/header_spec.js
index 7430ac9e982c48..eb3abc1cf2b14c 100644
--- a/ee/spec/frontend/vulnerabilities/header_spec.js
+++ b/ee/spec/frontend/vulnerabilities/header_spec.js
@@ -567,5 +567,22 @@ describe('Vulnerability Header', () => {
         expect(MUTATION_AI_ACTION_DEFAULT_RESPONSE).toHaveBeenCalled();
       });
     });
+
+    describe('show-public-project warning', () => {
+      it.each([true, false])(
+        'passes "vulnerabilit.belongsToPublicProject" prop to the component',
+        (belongsToPublicProject) => {
+          createWrapper({
+            vulnerability: {
+              belongsToPublicProject,
+            },
+          });
+
+          expect(findActionsDropdown().props('showPublicProjectWarning')).toBe(
+            belongsToPublicProject,
+          );
+        },
+      );
+    });
   });
 });
diff --git a/ee/spec/frontend/vulnerabilities/vulnerability_actions_dropdown_spec.js b/ee/spec/frontend/vulnerabilities/vulnerability_actions_dropdown_spec.js
index b67de162273fda..7f39fe6baefc03 100644
--- a/ee/spec/frontend/vulnerabilities/vulnerability_actions_dropdown_spec.js
+++ b/ee/spec/frontend/vulnerabilities/vulnerability_actions_dropdown_spec.js
@@ -13,6 +13,7 @@ describe('ee/vulnerabilities/components/vulnerability_actions_dropdown.vue', ()
         showExplainWithAi: false,
         showResolveWithAi: false,
         aiResolutionEnabled: true,
+        showPublicProjectWarning: false,
         ...propsData,
       },
     });
@@ -214,4 +215,20 @@ describe('ee/vulnerabilities/components/vulnerability_actions_dropdown.vue', ()
       });
     },
   );
+
+  it.each([true, false])(
+    'renders/does not render a warning when "showPublicProjectWarning" is: "%s"',
+    (showPublicProjectWarning) => {
+      createWrapper({
+        showExplainWithAi: true,
+        aiResolutionEnabled: true,
+        showResolveWithAi: true,
+        showPublicProjectWarning,
+      });
+
+      expect(wrapper.findByTestId('public-project-warning').exists()).toBe(
+        showPublicProjectWarning,
+      );
+    },
+  );
 });
diff --git a/ee/spec/helpers/vulnerabilities_helper_spec.rb b/ee/spec/helpers/vulnerabilities_helper_spec.rb
index 7babd39bc070ea..d9ede4957af14f 100644
--- a/ee/spec/helpers/vulnerabilities_helper_spec.rb
+++ b/ee/spec/helpers/vulnerabilities_helper_spec.rb
@@ -409,7 +409,8 @@
         merge_request_links: kind_of(Array),
         ai_explanation_available: finding.ai_explanation_available?,
         ai_resolution_available: finding.ai_resolution_available?,
-        ai_resolution_enabled: finding.ai_resolution_enabled?
+        ai_resolution_enabled: finding.ai_resolution_enabled?,
+        belongs_to_public_project: vulnerability.project.public?
       )
 
       expect(subject[:location]['blob_path']).to match(kind_of(String))
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 165fc343b9b28a..f37a1d8cf21ef2 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -2286,6 +2286,9 @@ msgstr ""
 msgid "AI|Create issue description based on a short prompt"
 msgstr ""
 
+msgid "AI|Creating an MR from a public project will publicly expose the vulnerability and offered resolution. To create the MR privately, see %{linkStart} Resolving a vulnerability privately%{linkEnd}."
+msgstr ""
+
 msgid "AI|Description is required"
 msgstr ""
 
-- 
GitLab


From c3963f88ec03efb290ca8fbb36633eebad0458f9 Mon Sep 17 00:00:00 2001
From: Dave Pisek <dpisek@gitlab.com>
Date: Thu, 14 Nov 2024 14:32:19 +0100
Subject: [PATCH 2/4] Feedback: Rename method and fix typo

---
 .../components/vulnerability_actions_dropdown.vue             | 4 ++--
 ee/spec/frontend/vulnerabilities/header_spec.js               | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue b/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue
index cc826bc72b0f78..a36df5f4523306 100644
--- a/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue
+++ b/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue
@@ -146,7 +146,7 @@ export default {
     },
   },
   methods: {
-    emitActionName({ name, disabled }) {
+    emitSelectedActionName({ name, disabled }) {
       if (!disabled) {
         this.$emit(name);
       }
@@ -183,7 +183,7 @@ export default {
             '!gl-bg-gray-10': action.disabled,
           }"
           :data-testid="`${action.name}-action-dropdown-item`"
-          @action="emitActionName"
+          @action="emitSelectedActionName"
         >
           <template #list-item>
             <span
diff --git a/ee/spec/frontend/vulnerabilities/header_spec.js b/ee/spec/frontend/vulnerabilities/header_spec.js
index eb3abc1cf2b14c..6b03d7aecf1025 100644
--- a/ee/spec/frontend/vulnerabilities/header_spec.js
+++ b/ee/spec/frontend/vulnerabilities/header_spec.js
@@ -570,7 +570,7 @@ describe('Vulnerability Header', () => {
 
     describe('show-public-project warning', () => {
       it.each([true, false])(
-        'passes "vulnerabilit.belongsToPublicProject" prop to the component',
+        'passes "vulnerability.belongsToPublicProject" prop to the component',
         (belongsToPublicProject) => {
           createWrapper({
             vulnerability: {
-- 
GitLab


From 4e7b0629d3b7d1380eb1c21fed70b35597c4052e Mon Sep 17 00:00:00 2001
From: Dave Pisek <dpisek@gitlab.com>
Date: Fri, 15 Nov 2024 10:19:13 +0100
Subject: [PATCH 3/4] Feedback: Make warning generic

---
 .../vulnerability_actions_dropdown.vue        | 22 +++++++------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue b/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue
index a36df5f4523306..73bb7e09f74c3e 100644
--- a/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue
+++ b/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue
@@ -32,11 +32,11 @@ const RESOLVE_VULNERABILITY_ACTION = {
   disabledStateDescription: s__(
     'AI|GitLab Duo is unable to suggest a fix for this type of vulnerability.',
   ),
-  publicProjectWarning: {
+  warning: {
     text: s__(
       'AI|Creating an MR from a public project will publicly expose the vulnerability and offered resolution. To create the MR privately, see %{linkStart} Resolving a vulnerability privately%{linkEnd}.',
     ),
-    confidentialMRDocsPat: helpPagePath('/user/project/merge_requests/confidential'),
+    link: helpPagePath('/user/project/merge_requests/confidential'),
   },
 };
 
@@ -131,10 +131,7 @@ export default {
             extraAttrs: { disabled: true },
             description: RESOLVE_VULNERABILITY_ACTION.disabledStateDescription,
           }),
-          ...(this.aiResolutionEnabled &&
-            this.showPublicProjectWarning && {
-              showPublicProjectWarning: true,
-            }),
+          showWarning: this.showPublicProjectWarning && this.aiResolutionEnabled,
         });
       }
 
@@ -226,7 +223,7 @@ export default {
           </template>
         </gl-disclosure-dropdown-item>
         <div
-          v-if="action.showPublicProjectWarning"
+          v-if="action.showWarning"
           class="gl-mb-1 gl-flex gl-bg-orange-50 gl-p-4"
           data-testid="public-project-warning"
         >
@@ -234,14 +231,11 @@ export default {
             <gl-icon name="warning" class="gl-mr-3 gl-shrink-0 gl-text-orange-500" />
           </span>
           <p class="gl-my-0">
-            <gl-sprintf :message="action.publicProjectWarning.text">
+            <gl-sprintf :message="action.warning.text">
               <template #link="{ content }">
-                <gl-link
-                  :href="action.publicProjectWarning.confidentialMRDocsPat"
-                  target="_blank"
-                  class="!gl-text-link"
-                  >{{ content }}</gl-link
-                >
+                <gl-link :href="action.warning.link" target="_blank" class="!gl-text-link">{{
+                  content
+                }}</gl-link>
               </template>
             </gl-sprintf>
           </p>
-- 
GitLab


From cb12b4ec6ea31834c7c331ce977512bfaa7aef3f Mon Sep 17 00:00:00 2001
From: Dave Pisek <dpisek@gitlab.com>
Date: Fri, 15 Nov 2024 10:26:30 +0100
Subject: [PATCH 4/4] Make testid generic

---
 .../components/vulnerability_actions_dropdown.vue             | 2 +-
 .../vulnerabilities/vulnerability_actions_dropdown_spec.js    | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue b/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue
index 73bb7e09f74c3e..cfd9176935e7bf 100644
--- a/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue
+++ b/ee/app/assets/javascripts/vulnerabilities/components/vulnerability_actions_dropdown.vue
@@ -225,7 +225,7 @@ export default {
         <div
           v-if="action.showWarning"
           class="gl-mb-1 gl-flex gl-bg-orange-50 gl-p-4"
-          data-testid="public-project-warning"
+          data-testid="ai-action-warning"
         >
           <span>
             <gl-icon name="warning" class="gl-mr-3 gl-shrink-0 gl-text-orange-500" />
diff --git a/ee/spec/frontend/vulnerabilities/vulnerability_actions_dropdown_spec.js b/ee/spec/frontend/vulnerabilities/vulnerability_actions_dropdown_spec.js
index 7f39fe6baefc03..46ec5343e742cc 100644
--- a/ee/spec/frontend/vulnerabilities/vulnerability_actions_dropdown_spec.js
+++ b/ee/spec/frontend/vulnerabilities/vulnerability_actions_dropdown_spec.js
@@ -226,9 +226,7 @@ describe('ee/vulnerabilities/components/vulnerability_actions_dropdown.vue', ()
         showPublicProjectWarning,
       });
 
-      expect(wrapper.findByTestId('public-project-warning').exists()).toBe(
-        showPublicProjectWarning,
-      );
+      expect(wrapper.findByTestId('ai-action-warning').exists()).toBe(showPublicProjectWarning);
     },
   );
 });
-- 
GitLab