Add comments on what controllers are used by FF

Add comments to the security dashboards'
controllers that explain their behavior and
usage in different states of the
first_class_vulnerabilities feature flag.

ee/app/controllers/groups/security/vulnerabilities_controller.rb

@@ -10,7 +10,19 @@ class Groups::Security::VulnerabilitiesController < Groups::ApplicationControlle
 
   private
 
+  # See the table below to understand the relation between first_class_vulnerabilities feature state and
+  # Group Security Dashboard controller being used:
+  #
+  # | first_class_vulnerabilities | controller to use                     |
+  # |---------------------------- | ------------------------------------- |
+  # | enabled                     | groups/security/vulnerability_findings |
+  # | disabled                    | groups/security/vulnerabilities        |
+  #
+  # The reason is that when first_class_vulnerabilities is enabled, Vulnerabilities name is reserved for
+  # Standalone Vulnerabilities https://gitlab.com/gitlab-org/gitlab/issues/13561, and the entity that
+  # was previously returned by Vulnerabilities-named endpoints get the name of Vulnerability Findings.
+  # See also: https://gitlab.com/gitlab-org/gitlab/merge_requests/19029
   def vulnerabilities_action_enabled?
-    Feature.disabled?(:vulnerability_findings_api)
+    Feature.disabled?(:first_class_vulnerabilities)
   end
 end

ee/app/controllers/groups/security/vulnerability_findings_controller.rb

@@ -10,7 +10,19 @@ class Groups::Security::VulnerabilityFindingsController < Groups::ApplicationCon
 
   private
 
+  # See the table below to understand the relation between first_class_vulnerabilities feature state and
+  # Group Security Dashboard controller being used:
+  #
+  # | first_class_vulnerabilities | controller to use                     |
+  # |---------------------------- | ------------------------------------- |
+  # | enabled                     | groups/security/vulnerability_findings |
+  # | disabled                    | groups/security/vulnerabilities        |
+  #
+  # The reason is that when first_class_vulnerabilities is enabled, Vulnerabilities name is reserved for
+  # Standalone Vulnerabilities https://gitlab.com/gitlab-org/gitlab/issues/13561, and the entity that
+  # was previously returned by Vulnerabilities-named endpoints get the name of Vulnerability Findings.
+  # See also: https://gitlab.com/gitlab-org/gitlab/merge_requests/19029
   def vulnerabilities_action_enabled?
-    Feature.enabled?(:vulnerability_findings_api)
+    Feature.enabled?(:first_class_vulnerabilities)
   end
 end

ee/app/controllers/projects/security/vulnerabilities_controller.rb

@@ -9,6 +9,18 @@ class Projects::Security::VulnerabilitiesController < Projects::ApplicationContr
 
   private
 
+  # See the table below to understand the relation between first_class_vulnerabilities feature state and
+  # Group Security Dashboard controller being used:
+  #
+  # | first_class_vulnerabilities | controller to use                        |
+  # |---------------------------- | ---------------------------------------- |
+  # | enabled                     | projects/security/vulnerability_findings |
+  # | disabled                    | projects/security/vulnerabilities        |
+  #
+  # The reason is that when first_class_vulnerabilities is enabled, Vulnerabilities name is reserved for
+  # Standalone Vulnerabilities https://gitlab.com/gitlab-org/gitlab/issues/13561, and the entity that
+  # was previously returned by Vulnerabilities-named endpoints get the name of Vulnerability Findings.
+  # See also: https://gitlab.com/gitlab-org/gitlab/merge_requests/19029
   def vulnerabilities_action_enabled?
     Feature.disabled?(:first_class_vulnerabilities)
   end

ee/app/controllers/projects/security/vulnerability_findings_controller.rb

@@ -9,6 +9,18 @@ class Projects::Security::VulnerabilityFindingsController < Projects::Applicatio
 
   private
 
+  # See the table below to understand the relation between first_class_vulnerabilities feature state and
+  # Group Security Dashboard controller being used:
+  #
+  # | first_class_vulnerabilities | controller to use                        |
+  # |---------------------------- | ---------------------------------------- |
+  # | enabled                     | projects/security/vulnerability_findings |
+  # | disabled                    | projects/security/vulnerabilities        |
+  #
+  # The reason is that when first_class_vulnerabilities is enabled, Vulnerabilities name is reserved for
+  # Standalone Vulnerabilities https://gitlab.com/gitlab-org/gitlab/issues/13561, and the entity that
+  # was previously returned by Vulnerabilities-named endpoints get the name of Vulnerability Findings.
+  # See also: https://gitlab.com/gitlab-org/gitlab/merge_requests/19029
   def vulnerabilities_action_enabled?
     Feature.enabled?(:first_class_vulnerabilities)
   end

ee/app/helpers/ee/groups_helper.rb

@@ -62,7 +62,7 @@ module EE
 
     def group_vulnerabilities_endpoint_path(group)
       params = group_path_params(group)
-      if ::Feature.enabled?(:vulnerability_findings_api)
+      if ::Feature.enabled?(:first_class_vulnerabilities)
         group_security_vulnerability_findings_path(params)
       else
         group_security_vulnerabilities_path(params)
@@ -71,7 +71,7 @@ module EE
 
     def group_vulnerabilities_summary_endpoint_path(group)
       params = group_path_params(group)
-      if ::Feature.enabled?(:vulnerability_findings_api)
+      if ::Feature.enabled?(:first_class_vulnerabilities)
         summary_group_security_vulnerability_findings_path(params)
       else
         summary_group_security_vulnerabilities_path(params)
@@ -80,7 +80,7 @@ module EE
 
     def group_vulnerabilities_history_endpoint_path(group)
       params = group_path_params(group)
-      if ::Feature.enabled?(:vulnerability_findings_api)
+      if ::Feature.enabled?(:first_class_vulnerabilities)
         history_group_security_vulnerability_findings_path(params)
       else
         history_group_security_vulnerabilities_path(params)

ee/spec/controllers/groups/security/vulnerabilities_controller_spec.rb

@@ -24,7 +24,7 @@ describe Groups::Security::VulnerabilitiesController do
 
   context 'when new Vulnerability Findings API is disabled' do
     before do
-      stub_feature_flags(vulnerability_findings_api: false)
+      stub_feature_flags(first_class_vulnerabilities: false)
     end
 
     # when new Vulnerability Findings API is disabled, we fall back to this controller

ee/spec/controllers/groups/security/vulnerability_findings_controller_spec.rb

@@ -23,7 +23,7 @@ describe Groups::Security::VulnerabilityFindingsController do
 
   context 'when new Vulnerability Findings API is disabled' do
     before do
-      stub_feature_flags(vulnerability_findings_api: false)
+      stub_feature_flags(first_class_vulnerabilities: false)
     end
 
     # when new Vulnerability Findings API is disabled, this controller is disabled as well

ee/spec/helpers/ee/groups_helper_spec.rb

@@ -61,7 +61,7 @@ describe GroupsHelper do
 
   context 'when new Vulnerability Findings API disabled' do
     before do
-      stub_feature_flags(vulnerability_findings_api: false)
+      stub_feature_flags(first_class_vulnerabilities: false)
     end
 
     it 'returns legacy "vulnerabilities" endpoint paths' do