Remove feature flag from vulnerability GQL fields

Since the feature flag can't be scoped to a specific project, it's
making it hard to test this feature in production. Removing the flag
will allow us to test the fields and it's been decided that it's okay
for customers to begin consuming the fields.

https://gitlab.com/gitlab-org/gitlab/-/issues/215568

doc/api/graphql/reference/gitlab_schema.graphql

@@ -4001,8 +4001,7 @@ type Group {
   visibility: String
 
   """
-  Vulnerabilities reported on the projects in the group and its subgroups.
-  Available only when feature flag `first_class_vulnerabilities` is enabled
+  Vulnerabilities reported on the projects in the group and its subgroups
   """
   vulnerabilities(
     """
@@ -7237,7 +7236,7 @@ type Project {
   visibility: String
 
   """
-  Vulnerabilities reported on the project. Available only when feature flag `first_class_vulnerabilities` is enabled
+  Vulnerabilities reported on the project
   """
   vulnerabilities(
     """
@@ -7282,8 +7281,7 @@ type Project {
   ): VulnerabilityConnection
 
   """
-  Counts for each severity of vulnerability of the project. Available only when
-  feature flag `first_class_vulnerabilities` is enabled
+  Counts for each severity of vulnerability of the project
   """
   vulnerabilitySeveritiesCount: VulnerabilitySeveritiesCount
 

doc/api/graphql/reference/gitlab_schema.json

@@ -11257,7 +11257,7 @@
             },
             {
               "name": "vulnerabilities",
-              "description": "Vulnerabilities reported on the projects in the group and its subgroups. Available only when feature flag `first_class_vulnerabilities` is enabled",
+              "description": "Vulnerabilities reported on the projects in the group and its subgroups",
               "args": [
                 {
                   "name": "projectId",
@@ -21409,7 +21409,7 @@
             },
             {
               "name": "vulnerabilities",
-              "description": "Vulnerabilities reported on the project. Available only when feature flag `first_class_vulnerabilities` is enabled",
+              "description": "Vulnerabilities reported on the project",
               "args": [
                 {
                   "name": "projectId",
@@ -21534,7 +21534,7 @@
             },
             {
               "name": "vulnerabilitySeveritiesCount",
-              "description": "Counts for each severity of vulnerability of the project. Available only when feature flag `first_class_vulnerabilities` is enabled",
+              "description": "Counts for each severity of vulnerability of the project",
               "args": [
 
               ],

doc/api/graphql/reference/index.md

@@ -1044,7 +1044,7 @@ Information about pagination in a connection.
 | `tagList` | String | List of project topics (not Git tags) |
 | `userPermissions` | ProjectPermissions! | Permissions for the current user on the resource |
 | `visibility` | String | Visibility of the project |
-| `vulnerabilitySeveritiesCount` | VulnerabilitySeveritiesCount | Counts for each severity of vulnerability of the project. Available only when feature flag `first_class_vulnerabilities` is enabled |
+| `vulnerabilitySeveritiesCount` | VulnerabilitySeveritiesCount | Counts for each severity of vulnerability of the project |
 | `webUrl` | String | Web URL of the project |
 | `wikiEnabled` | Boolean | Indicates if Wikis are enabled for the current user |
 

ee/app/graphql/ee/types/group_type.rb

@@ -30,8 +30,7 @@ module EE
               ::Types::VulnerabilityType.connection_type,
               null: true,
               description: 'Vulnerabilities reported on the projects in the group and its subgroups',
-              resolver: Resolvers::VulnerabilitiesResolver,
-              feature_flag: :first_class_vulnerabilities
+              resolver: Resolvers::VulnerabilitiesResolver
       end
     end
   end

ee/app/graphql/ee/types/project_type.rb

@@ -16,12 +16,10 @@ module EE
               ::Types::VulnerabilityType.connection_type,
               null: true,
               description: 'Vulnerabilities reported on the project',
-              resolver: Resolvers::VulnerabilitiesResolver,
-              feature_flag: :first_class_vulnerabilities
+              resolver: Resolvers::VulnerabilitiesResolver
 
         field :vulnerability_severities_count, ::Types::VulnerabilitySeveritiesCountType, null: true,
                description: 'Counts for each severity of vulnerability of the project',
-               feature_flag: :first_class_vulnerabilities,
                resolve: -> (obj, _args, ctx) do
                  Hash.new(0).merge(
                    obj.vulnerabilities.with_states([:detected, :confirmed]).counts_by_severity

ee/changelogs/unreleased/215568-remove-vuln-gql-ff.yml

+---
+title: Add vulnerability fields to GraphQL project, group, and global scope
+merge_request: 30663
+author:
+type: added

ee/spec/graphql/ee/types/group_type_spec.rb

@@ -49,37 +49,20 @@ describe GitlabSchema.types['Group'] do
     end
 
     before do
+      stub_licensed_features(security_dashboard: true)
+
       group.add_developer(user)
     end
 
     subject { GitlabSchema.execute(query, context: { current_user: user }).as_json }
 
-    context 'when first_class_vulnerabilities is disabled' do
-      before do
-        stub_feature_flags(first_class_vulnerabilities: false)
-      end
-
-      it 'is null' do
-        vulnerabilities = subject.dig('data', 'group', 'vulnerabilities')
-
-        expect(vulnerabilities).to be_nil
-      end
-    end
-
-    context 'when first_class_vulnerabilities is enabled' do
-      before do
-        stub_feature_flags(first_class_vulnerabilities: true)
-        stub_licensed_features(security_dashboard: true)
-      end
-
-      it "returns the vulnerabilities for all projects in the group and its subgroups" do
-        vulnerabilities = subject.dig('data', 'group', 'vulnerabilities', 'nodes')
+    it "returns the vulnerabilities for all projects in the group and its subgroups" do
+      vulnerabilities = subject.dig('data', 'group', 'vulnerabilities', 'nodes')
 
-        expect(vulnerabilities.count).to be(1)
-        expect(vulnerabilities.first['title']).to eq('A terrible one!')
-        expect(vulnerabilities.first['state']).to eq('DETECTED')
-        expect(vulnerabilities.first['severity']).to eq('CRITICAL')
-      end
+      expect(vulnerabilities.count).to be(1)
+      expect(vulnerabilities.first['title']).to eq('A terrible one!')
+      expect(vulnerabilities.first['state']).to eq('DETECTED')
+      expect(vulnerabilities.first['severity']).to eq('CRITICAL')
     end
   end
 end

ee/spec/graphql/types/project_type_spec.rb

@@ -8,6 +8,8 @@ describe GitlabSchema.types['Project'] do
   let_it_be(:vulnerability) { create(:vulnerability, project: project, severity: :high) }
 
   before do
+    stub_licensed_features(security_dashboard: true)
+
     project.add_developer(user)
   end
 
@@ -45,32 +47,13 @@ describe GitlabSchema.types['Project'] do
 
     subject { GitlabSchema.execute(query, context: { current_user: user }).as_json }
 
-    context 'when first_class_vulnerabilities is disabled' do
-      before do
-        stub_feature_flags(first_class_vulnerabilities: false)
-      end
-
-      it 'is null' do
-        vulnerabilities = subject.dig('data', 'project', 'vulnerabilities')
-
-        expect(vulnerabilities).to be_nil
-      end
-    end
-
-    context 'when first_class_vulnerabilities is enabled' do
-      before do
-        stub_feature_flags(first_class_vulnerabilities: true)
-        stub_licensed_features(security_dashboard: true)
-      end
-
-      it "returns the project's vulnerabilities" do
-        vulnerabilities = subject.dig('data', 'project', 'vulnerabilities', 'nodes')
+    it "returns the project's vulnerabilities" do
+      vulnerabilities = subject.dig('data', 'project', 'vulnerabilities', 'nodes')
 
-        expect(vulnerabilities.count).to be(1)
-        expect(vulnerabilities.first['title']).to eq('A terrible one!')
-        expect(vulnerabilities.first['state']).to eq('DETECTED')
-        expect(vulnerabilities.first['severity']).to eq('CRITICAL')
-      end
+      expect(vulnerabilities.count).to be(1)
+      expect(vulnerabilities.first['title']).to eq('A terrible one!')
+      expect(vulnerabilities.first['state']).to eq('DETECTED')
+      expect(vulnerabilities.first['severity']).to eq('CRITICAL')
     end
   end
 end

ee/spec/requests/api/graphql/project/vulnerability_severities_count_spec.rb

@@ -23,33 +23,16 @@ describe 'Query.project(fullPath).vulnerabilitySeveritiesCount' do
   end
 
   before do
+    stub_licensed_features(security_dashboard: true)
+
     project.add_developer(user)
   end
 
   subject { GitlabSchema.execute(query, context: { current_user: user }).as_json }
 
-  context 'when first_class_vulnerabilities is disabled' do
-    before do
-      stub_feature_flags(first_class_vulnerabilities: false)
-    end
-
-    it 'is null' do
-      vulnerabilities = subject.dig('data', 'project', 'vulnerabilitySeveritiesCount')
-
-      expect(vulnerabilities).to be_nil
-    end
-  end
-
-  context 'when first_class_vulnerabilities is enabled' do
-    before do
-      stub_feature_flags(first_class_vulnerabilities: true)
-      stub_licensed_features(security_dashboard: true)
-    end
-
-    it "returns counts for each severity of the project's detected or confirmed vulnerabilities" do
-      high_count = subject.dig('data', 'project', 'vulnerabilitySeveritiesCount', 'high')
+  it "returns counts for each severity of the project's detected or confirmed vulnerabilities" do
+    high_count = subject.dig('data', 'project', 'vulnerabilitySeveritiesCount', 'high')
 
-      expect(high_count).to be(2)
-    end
+    expect(high_count).to be(2)
   end
 end