Merge branch 'protect-reorder-vuln-check' into 'master'

Reorder vuln check criteria

See merge request gitlab-org/gitlab!68503

doc/user/application_security/index.md

@@ -194,14 +194,19 @@ merge request would introduce one of the following security issues:
 When the Vulnerability-Check merge request rule is enabled, additional merge request approval
 is required when the latest security report in a merge request:
 
-- Contains a vulnerability of `high`, `critical`, or `unknown` severity that is not present in the
+- Contains vulnerabilities that are not present in the
   target branch. Note that approval is still required for dismissed vulnerabilities.
+- Contains vulnerabilities with severity levels (for example, `high`, `critical`, or `unknown`)
+  matching the rule's severity levels.
+- Contains a vulnerability count higher than the rule allows.
 - Is not generated during pipeline execution.
 
 An approval is optional when the security report:
 
 - Contains no new vulnerabilities when compared to the target branch.
-- Contains only new vulnerabilities of `low` or `medium` severity.
+- Contains only vulnerabilities with severity levels (for example, `low`, `medium`) **NOT** matching
+  the rule's severity levels.
+- Contains a vulnerability count equal to or less than what the rule allows.
 
 When the License-Check merge request rule is enabled, additional approval is required if a merge
 request contains a denied license. For more details, see [Enabling license approvals within a project](../compliance/license_compliance/index.md#enabling-license-approvals-within-a-project).
@@ -219,16 +224,19 @@ Follow these steps to enable `Vulnerability-Check`:
 1. Go to your project and select **Settings > General**.
 1. Expand **Merge request approvals**.
 1. Select **Enable** or **Edit**.
-1. Add or change the **Rule name** to `Vulnerability-Check` (case sensitive).
-1. Set the **No. of approvals required** to greater than zero.
+1. Set the **Security scanners** that the rule applies to.
 1. Select the **Target branch**.
+1. Set the **Vulnerabilities allowed** to the number of vulnerabilities allowed before the rule is
+   triggered.
+1. Set the **Severity levels** to the severity levels that the rule applies to.
+1. Set the **Approvals required** to the number of approvals that the rule requires.
 1. Select the users or groups to provide approval.
 1. Select **Add approval rule**.
 
 Once this group is added to your project, the approval rule is enabled for all merge requests.
 Any code changes cause the approvals required to reset.
 
-![Vulnerability Check Approver Rule](img/vulnerability-check_v13_4.png)
+![Vulnerability Check Approver Rule](img/vulnerability-check_v14_2.png)
 
 ## Using private Maven repositories
 

ee/app/assets/javascripts/approvals/components/rule_form.vue

@@ -461,21 +461,6 @@ export default {
         data-testid="name"
       />
     </gl-form-group>
-    <gl-form-group
-      v-if="showProtectedBranch"
-      :label="$options.APPROVAL_DIALOG_I18N.form.protectedBranchLabel"
-      :description="$options.APPROVAL_DIALOG_I18N.form.protectedBranchDescription"
-      :state="isValidBranches"
-      :invalid-feedback="invalidBranches"
-      data-testid="branches-group"
-    >
-      <protected-branches-selector
-        v-model="branchesToAdd"
-        :project-id="settings.projectId"
-        :is-invalid="!isValidBranches"
-        :selected-branches="branches"
-      />
-    </gl-form-group>
     <gl-form-group
       v-if="isVulnerabilityCheck"
       :label="$options.APPROVAL_DIALOG_I18N.form.scannersLabel"
@@ -504,6 +489,38 @@ export default {
         </gl-dropdown-item>
       </gl-dropdown>
     </gl-form-group>
+    <gl-form-group
+      v-if="showProtectedBranch"
+      :label="$options.APPROVAL_DIALOG_I18N.form.protectedBranchLabel"
+      :description="$options.APPROVAL_DIALOG_I18N.form.protectedBranchDescription"
+      :state="isValidBranches"
+      :invalid-feedback="invalidBranches"
+      data-testid="branches-group"
+    >
+      <protected-branches-selector
+        v-model="branchesToAdd"
+        :project-id="settings.projectId"
+        :is-invalid="!isValidBranches"
+        :selected-branches="branches"
+      />
+    </gl-form-group>
+    <gl-form-group
+      v-if="isVulnerabilityCheck"
+      :label="$options.APPROVAL_DIALOG_I18N.form.vulnerabilitiesAllowedLabel"
+      :description="$options.APPROVAL_DIALOG_I18N.form.vulnerabilitiesAllowedDescription"
+      :state="isValidVulnerabilitiesAllowed"
+      :invalid-feedback="invalidVulnerabilitiesAllowedError"
+      data-testid="vulnerability-amount-group"
+    >
+      <gl-form-input
+        v-model.number="vulnerabilitiesAllowed"
+        :state="isValidVulnerabilitiesAllowed"
+        min="0"
+        class="mw-6em"
+        type="number"
+        data-testid="vulnerability-amount"
+      />
+    </gl-form-group>
     <gl-form-group
       v-if="isVulnerabilityCheck"
       :label="$options.APPROVAL_DIALOG_I18N.form.severityLevelsLabel"
@@ -548,23 +565,6 @@ export default {
         data-qa-selector="approvals_required_field"
       />
     </gl-form-group>
-    <gl-form-group
-      v-if="isVulnerabilityCheck"
-      :label="$options.APPROVAL_DIALOG_I18N.form.vulnerabilitiesAllowedLabel"
-      :description="$options.APPROVAL_DIALOG_I18N.form.vulnerabilitiesAllowedDescription"
-      :state="isValidVulnerabilitiesAllowed"
-      :invalid-feedback="invalidVulnerabilitiesAllowedError"
-      data-testid="vulnerability-amount-group"
-    >
-      <gl-form-input
-        v-model.number="vulnerabilitiesAllowed"
-        :state="isValidVulnerabilitiesAllowed"
-        min="0"
-        class="mw-6em"
-        type="number"
-        data-testid="vulnerability-amount"
-      />
-    </gl-form-group>
     <gl-form-group
       :label="$options.APPROVAL_DIALOG_I18N.form.approversLabel"
       :state="isValidApprovers"

ee/app/assets/javascripts/approvals/components/security_configuration/unconfigured_security_rules.vue

@@ -44,7 +44,7 @@ export default {
             'SecurityApprovals|Configurable if security scanners are enabled. %{linkStart}Learn more.%{linkEnd}',
           ),
           enableDescription: s__(
-            'SecurityApprovals|Requires approval for vulnerabilities of Critical, High, or Unknown severity. %{linkStart}Learn more.%{linkEnd}',
+            'SecurityApprovals|Requires approval for vulnerabilities. %{linkStart}Learn more.%{linkEnd}',
           ),
           docsPath: this.vulnerabilityCheckHelpPagePath,
         },

ee/app/assets/javascripts/approvals/constants.js

@@ -27,7 +27,7 @@ export const APPROVAL_RULE_CONFIGS = {
   [VULNERABILITY_CHECK_NAME]: {
     title: s__('SecurityApprovals|Vulnerability-Check'),
     popoverText: s__(
-      'SecurityApprovals|A merge request approval is required when a security report contains a new vulnerability of high, critical, or unknown severity.',
+      'SecurityApprovals|A merge request approval is required when a security report contains a new vulnerability.',
     ),
     documentationText: s__('SecurityApprovals|Learn more about Vulnerability-Check'),
   },

locale/gitlab.pot

@@ -29472,7 +29472,7 @@ msgstr ""
 msgid "Security report is out of date. Run %{newPipelineLinkStart}a new pipeline%{newPipelineLinkEnd} for the target branch (%{targetBranchName})"
 msgstr ""
 
-msgid "SecurityApprovals|A merge request approval is required when a security report contains a new vulnerability of high, critical, or unknown severity."
+msgid "SecurityApprovals|A merge request approval is required when a security report contains a new vulnerability."
 msgstr ""
 
 msgid "SecurityApprovals|A merge request approval is required when test coverage declines."
@@ -29508,7 +29508,7 @@ msgstr ""
 msgid "SecurityApprovals|Requires approval for decreases in test coverage. %{linkStart}More information%{linkEnd}"
 msgstr ""
 
-msgid "SecurityApprovals|Requires approval for vulnerabilities of Critical, High, or Unknown severity. %{linkStart}Learn more.%{linkEnd}"
+msgid "SecurityApprovals|Requires approval for vulnerabilities. %{linkStart}Learn more.%{linkEnd}"
 msgstr ""
 
 msgid "SecurityApprovals|Test coverage must be enabled. %{linkStart}Learn more%{linkEnd}."