Merge branch...

Merge branch '425753-feature-flag-cleanup-of-dependency_scanning_on_advisory_ingestion' into 'master' 

Remove FF dependency_scanning_on_advisory_ingestion

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144546



Merged-by: Jarka Košanová <jarka@gitlab.com>
Approved-by: Fabien Catteau <fcatteau@gitlab.com>
Approved-by: Jarka Košanová <jarka@gitlab.com>
Reviewed-by: Thiago Figueiró <tfigueiro@gitlab.com>
Co-authored-by: Thiago Figueiró <tfigueiro@gitlab.com>

doc/user/application_security/continuous_vulnerability_scanning/index.md

@@ -12,10 +12,7 @@ DETAILS:
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/371063) in GitLab 16.4 as an [Experiment](../../../policy/experiment-beta-support.md#experiment) with two [features flags](../../../administration/feature_flags.md) named `dependency_scanning_on_advisory_ingestion` and `package_metadata_advisory_sync`. Enabled by default.
 > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/427424) in GitLab 16.7 with an additional feature flag named `global_dependency_scanning_on_advisory_ingestion`. Enabled by default.
-
-FLAG:
-On self-managed GitLab, by default this feature is available. To hide the feature, an administrator can [disable the feature flags](../../feature_flags.md) named `dependency_scanning_on_advisory_ingestion`.
-On GitLab.com, this feature is available.
+> - [Feature flag `dependency_scanning_on_advisory_ingestion` removed](https://gitlab.com/gitlab-org/gitlab/-/issues/425753) in GitLab 16.10.
 
 Continuous Vulnerability Scanning detects new vulnerabilities outside a pipeline.
 Your projects are automatically scanned whenever advisories are added to the [`GitLab Advisory Database`](https://advisories.gitlab.com/).

ee/app/policies/ee/project_policy.rb

@@ -447,6 +447,7 @@ module ProjectPolicy
         enable :read_project_audit_events
         enable :read_product_analytics
         enable :create_workspace
+        enable :enable_continuous_vulnerability_scans
       end
 
       rule { can?(:reporter_access) & iterations_available }.policy do
@@ -694,10 +695,6 @@ module ProjectPolicy
           .default_project_deletion_protection
       end
 
-      condition(:continuous_vulnerability_scanning_available) do
-        ::Feature.enabled?(:dependency_scanning_on_advisory_ingestion)
-      end
-
       desc "Custom role on project that enables manage project access tokens"
       condition(:role_enables_manage_project_access_tokens) do
         ::Auth::MemberRoleAbilityLoader.new(
@@ -883,10 +880,6 @@ module ProjectPolicy
         (maintainer | owner | admin) & pages_multiple_versions_available
       end.enable :pages_multiple_versions
 
-      rule { continuous_vulnerability_scanning_available & can?(:developer_access) }.policy do
-        enable :enable_continuous_vulnerability_scans
-      end
-
       rule { can?(:reporter_access) & tracing_enabled }.policy do
         enable :read_tracing
       end

ee/app/services/package_metadata/ingestion/advisory/ingestion_service.rb

@@ -38,11 +38,6 @@ def publish!
             source_xid = data_object.source_xid
             advisory_xid = data_object.advisory_xid
 
-            if source_xid == 'glad' && Feature.disabled?(:dependency_scanning_on_advisory_ingestion)
-              log_skipped_advisory(source_xid, advisory_xid)
-              next
-            end
-
             if source_xid == 'trivy-db' && Feature.disabled?(:container_scanning_continuous_vulnerability_scans,
               Feature.current_request, type: :beta)
               log_skipped_advisory(source_xid, advisory_xid)

ee/config/feature_flags/development/dependency_scanning_on_advisory_ingestion.yml

----
-name: dependency_scanning_on_advisory_ingestion
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127805
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/419550
-milestone: '16.3'
-type: development
-group: group::composition analysis
-default_enabled: true

ee/spec/requests/api/graphql/mutations/security/configuration/project_set_continuous_vulnerability_scanning_spec.rb

@@ -35,40 +35,21 @@
       project.add_developer(current_user)
     end
 
-    context 'and feature is enabled' do
-      before do
-        stub_feature_flags(dependency_scanning_on_advisory_ingestion: true)
-      end
-
-      where(:value_before, :enable, :value_after) do
-        true  | false | false
-        true  | true  | true
-        false | true  | true
-        false | false | false
-      end
-
-      with_them do
-        it 'updates the project setting and returns the new value' do
-          post_graphql_mutation(mutation, current_user: current_user)
-
-          response = graphql_mutation_response(mutation_name)
-          expect(response).to include({ 'continuousVulnerabilityScanningEnabled' => value_after, 'errors' => [] })
-
-          expect(security_setting.reload.continuous_vulnerability_scans_enabled).to eq(value_after)
-        end
-      end
+    where(:value_before, :enable, :value_after) do
+      true  | false | false
+      true  | true  | true
+      false | true  | true
+      false | false | false
     end
 
-    context 'and feature is disabled' do
-      before do
-        stub_feature_flags(dependency_scanning_on_advisory_ingestion: false)
-      end
+    with_them do
+      it 'updates the project setting and returns the new value' do
+        post_graphql_mutation(mutation, current_user: current_user)
 
-      it_behaves_like 'a mutation that returns a top-level access error'
+        response = graphql_mutation_response(mutation_name)
+        expect(response).to include({ 'continuousVulnerabilityScanningEnabled' => value_after, 'errors' => [] })
 
-      it 'does not enable cvs' do
-        expect { post_graphql_mutation(mutation, current_user: current_user) }
-          .not_to change { security_setting.reload.continuous_vulnerability_scans_enabled }
+        expect(security_setting.reload.continuous_vulnerability_scans_enabled).to eq(value_after)
       end
     end
   end

ee/spec/services/package_metadata/ingestion/advisory/ingestion_service_spec.rb

@@ -12,11 +12,11 @@
     let(:old_advisories) { build_list(:pm_advisory_data_object, 5, published_date: Time.zone.now - 14.days - 1.second) }
     let(:import_data) { recent_advisories + old_advisories }
 
-    where(:ds_ff_enabled, :cs_ff_enabled) do
-      true  | true
-      true  | false
-      false | true
-      false | false
+    where(:cs_ff_enabled) do
+      [
+        true,
+        false
+      ]
     end
 
     with_them do
@@ -31,7 +31,6 @@
       end
 
       before do
-        stub_feature_flags(dependency_scanning_on_advisory_ingestion: ds_ff_enabled)
         value = cs_ff_enabled ? 100 : 0
         Feature.enable_percentage_of_actors(:container_scanning_continuous_vulnerability_scans, value)
         allow(Gitlab::AppJsonLogger).to receive(:warn).and_call_original
@@ -51,20 +50,20 @@
                                                        .pluck(:source_xid, :advisory_xid)
 
         expected = recent_advisories.filter_map do |obj|
-          if (obj.source_xid == 'glad' && ds_ff_enabled) || (obj.source_xid == 'trivy-db' && cs_ff_enabled)
+          if (obj.source_xid == 'glad') || (obj.source_xid == 'trivy-db' && cs_ff_enabled)
             [obj.source_xid, obj.advisory_xid]
           end
         end
 
         expect(received_advisories).to match_array(expected)
 
-        if ds_ff_enabled || cs_ff_enabled
+        if cs_ff_enabled
           expect(Gitlab::AppJsonLogger).to have_received(:info)
             .with(message: 'Queued scan for advisory', source_xid: anything, advisory_xid: anything)
             .at_least(:once)
         end
 
-        if !ds_ff_enabled || !cs_ff_enabled
+        unless cs_ff_enabled
           expect(Gitlab::AppJsonLogger).to have_received(:warn)
             .with(message: 'Skipped scan for advisory', source_xid: anything, advisory_xid: anything)
             .at_least(:once)