Merge branch '346266-feature-flag-enable-compliance-violations-report' into 'master'

[Feature flag] Enable compliance violations report

See merge request gitlab-org/gitlab!83959

doc/user/compliance/compliance_report/index.md

@@ -9,17 +9,19 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36524) in GitLab 12.8 as Compliance Dashboard.
 > - [Renamed](https://gitlab.com/gitlab-org/gitlab/-/issues/299360) to compliance report in GitLab 14.2.
+> - [Replaced](https://gitlab.com/groups/gitlab-org/-/epics/5237) by merge request violations in GitLab 14.6 [with a flag](../../../administration/feature_flags.md) named `compliance_violations_report`. Disabled by default.
+> - GraphQL API [introduced](https://gitlab.com/groups/gitlab-org/-/epics/7222) in GitLab 14.9.
+> - [Generally available](https://gitlab.com/groups/gitlab-org/-/epics/5237) in GitLab 14.10. [Feature flag `compliance_violations_report`](https://gitlab.com/gitlab-org/gitlab/-/issues/346266) removed.
 
 Compliance report gives you the ability to see a group's merge request activity. It provides a
 high-level view for all projects in the group. For example, code approved for merging into
 production.
 
-You can use the report to:
+You can use the report to get:
 
-- Get an overview of the latest merge request for each project.
-- See if merge requests were approved and by whom.
-- See merge request authors.
-- See the latest [CI/CD pipeline](../../../ci/pipelines/index.md) result for each merge request.
+- A list of compliance violations from all merged merge requests within the group.
+- The reason and severity of each compliance violation.
+- A link to the merge request that caused each compliance violation.
 
 ## View the compliance report for a group
 
@@ -32,8 +34,36 @@ To view the compliance report:
 1. On the top bar, select **Menu > Groups** and find your group.
 1. On the left sidebar, select **Security & Compliance > Compliance report**.
 
-NOTE:
-The compliance report shows only the latest merge request on each project.
+### Severity levels scale
+
+The following is a list of available violation severity levels, ranked from most to least severe:
+
+| Icon                                          | Severity level |
+|:----------------------------------------------|:---------------|
+| **{severity-critical, 18, gl-fill-red-800}**  | Critical       |
+| **{severity-high, 18, gl-fill-red-600}**      | High           |
+| **{severity-medium, 18, gl-fill-orange-400}** | Medium         |
+| **{severity-low, 18, gl-fill-orange-300}**    | Low            |
+| **{severity-info, 18, gl-fill-blue-400}**     | Info           |
+
+### Violation types
+
+The following is a list of violations that are either:
+
+- Already available.
+- Aren't available, but which we are tracking in issues.
+
+| Violation                            | Severity level  | Category                                                                               | Description                                                                                                                                                                                      | Availability                                                                    |
+|:-------------------------------------|:----------------|:---------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------|
+| Author approved merge request        | High            | [Separation of duties](#separation-of-duties)                                          | The author of the merge request approved their own merge request. [Learn more](../../project/merge_requests/approvals/settings.md#prevent-approval-by-author).                                   | [Available in GitLab 14.10](https://gitlab.com/groups/gitlab-org/-/epics/6870)  |
+| Committers approved merge request    | High            | [Separation of duties](#separation-of-duties)                                          | The committers of the merge request approved the merge request they contributed to. [Learn more](../../project/merge_requests/approvals/settings.md#prevent-approvals-by-users-who-add-commits). | [Available in GitLab 14.10](https://gitlab.com/groups/gitlab-org/-/epics/6870)  |
+| Fewer than two approvals             | High            | [Separation of duties](#separation-of-duties)                                          | The merge request was merged with fewer than two approvals. [Learn more](../../project/merge_requests/approvals/rules.md).                                                                       | [Available in GitLab 14.10](https://gitlab.com/groups/gitlab-org/-/epics/6870) |
+| Pipeline failed                      | Medium          | [Pipeline results](../../../ci/pipelines/index.md)                                     | The merge requests pipeline failed and was merged.                                                                                                                                               | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011)             |
+| Pipeline passed with warnings        | Info            | [Pipeline results](../../../ci/pipelines/index.md)                                     | The merge request pipeline passed with warnings and was merged.                                                                                                                                  | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011)             |
+| Code coverage down more than 10%     | High            | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results) | The code coverage report for the merge request indicates a reduction in coverage of more than 10%.                                                                                               | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011)             |
+| Code coverage down between 5% to 10% | Medium          | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results) | The code coverage report for the merge request indicates a reduction in coverage of between 5% to 10%.                                                                                           | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011)             |
+| Code coverage down between 1% to 5%  | Low             | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results) | The code coverage report for the merge request indicates a reduction in coverage of between 1% to 5%.                                                                                            | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011)             |
+| Code coverage down less than 1%      | Info            | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results) | The code coverage report for the merge request indicates a reduction in coverage of less than 1%.                                                                                                | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011)             |
 
 ## Merge request drawer
 
@@ -51,30 +81,15 @@ request:
 - A list of users that approved the merge request.
 - The user that merged the merge request.
 
-## Approval status and separation of duties
-
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/217939) in GitLab 13.3.
+## Separation of duties
 
 We support a separation of duties policy between users who create and approve merge requests.
-The approval status column can help you identify violations of this policy.
 Our criteria for the separation of duties is as follows:
 
 - [A merge request author is **not** allowed to approve their merge request](../../project/merge_requests/approvals/settings.md#prevent-approval-by-author)
 - [A merge request committer is **not** allowed to approve a merge request they have added commits to](../../project/merge_requests/approvals/settings.md#prevent-approvals-by-users-who-add-commits)
 - [The minimum number of approvals required to merge a merge request is **at least** two](../../project/merge_requests/approvals/rules.md)
 
-The **Approval status** column shows you at a glance whether a merge request is complying with the above.
-This column has four states:
-
-| State | Description |
-|:------|:------------|
-| Empty | The merge request approval status is unknown |
-| ![Failed](img/failed_icon_v13_3.png) | The merge request **does not** comply with any of the above criteria |
-| ![Warning](img/warning_icon_v13_3.png) | The merge request complies with **some** of the above criteria |
-| ![Success](img/success_icon_v13_3.png) | The merge request complies with **all** of the above criteria |
-
-If you see a non-success state, review the criteria for the merge request's project to ensure it complies with the separation of duties.
-
 ## Chain of Custody report
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213364) in GitLab 13.3.
@@ -105,64 +120,3 @@ You can generate a commit-specific Chain of Custody report for a given commit SH
 NOTE:
 The Chain of Custody report download is a CSV file, with a maximum size of 15 MB.
 The remaining records are truncated when this limit is reached.
-
-## Merge request violations
-
-> - Introduced in GitLab 14.6. [Deployed behind the `compliance_violations_report` flag](../../../administration/feature_flags.md). Disabled by default.
-> - GraphQL API [introduced](https://gitlab.com/groups/gitlab-org/-/epics/7222) in GitLab 14.9.
-
-FLAG:
-On self-managed GitLab, by default this feature is not available. To make it available,
-ask an administrator to [enable the feature flag](../../../administration/feature_flags.md) named `compliance_violations_report`.
-On GitLab.com, this feature is not available. This feature is not ready for production use.
-
-Merge request violations provide a view of all the [separation of duties](#approval-status-and-separation-of-duties) compliance violations
-that exist in projects in a specific group. For each separation of duties compliance violation, you can see:
-
-- A list of compliance violations.
-- The severity of each compliance violation.
-- Reason for the compliance violation.
-- A link to the merge request that caused the compliance violation.
-
-Merge request violations can be accessed:
-
-- In the GitLab UI.
-- Using the [GraphQL API](../../../api/graphql/reference/index.md#complianceviolation) (GitLab 14.9 and later).
-
-### View merge request violations
-
-To view merge request violations:
-
-1. On the top bar, select **Menu > Groups** and find your group.
-1. On the left sidebar, select **Security & Compliance > Compliance report**.
-
-### Severity levels scale
-
-The following is a list of available violation severity levels, ranked from most to least severe:
-
-| Icon                                          | Severity level |
-|:----------------------------------------------|:---------------|
-| **{severity-critical, 18, gl-fill-red-800}**  | Critical       |
-| **{severity-high, 18, gl-fill-red-600}**      | High           |
-| **{severity-medium, 18, gl-fill-orange-400}** | Medium         |
-| **{severity-low, 18, gl-fill-orange-300}**    | Low            |
-| **{severity-info, 18, gl-fill-blue-400}**     | Info           |
-
-### Violation types
-
-The following is a list of violations that are either:
-
-- Already available.
-- Aren't available, but which we are tracking in issues.
-
-| Violation                            | Severity level  | Category                                                                                | Description                                                                                                                                                                                      | Availability                                                        |
-|:-------------------------------------|:----------------|:----------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------|
-| Author approved merge request        | High            | [Separation of duties](#approval-status-and-separation-of-duties)                       | The author of the merge request approved their own merge request. [Learn more](../../project/merge_requests/approvals/settings.md#prevent-approval-by-author).                                   | [Unavailable](https://gitlab.com/groups/gitlab-org/-/epics/6870)    |
-| Committers approved merge request    | High            | [Separation of duties](#approval-status-and-separation-of-duties)                       | The committers of the merge request approved the merge request they contributed to. [Learn more](../../project/merge_requests/approvals/settings.md#prevent-approvals-by-users-who-add-commits). | [Unavailable](https://gitlab.com/groups/gitlab-org/-/epics/6870)    |
-| Fewer than two approvals             | High            | [Separation of duties](#approval-status-and-separation-of-duties)                       | The merge request was merged with fewer than two approvals. [Learn more](../../project/merge_requests/approvals/rules.md).                                                                       | [Unavailable](https://gitlab.com/groups/gitlab-org/-/epics/6870)    |
-| Pipeline failed                      | Medium          | [Pipeline results](../../../ci/pipelines/index.md)                                      | The merge requests pipeline failed and was merged.                                                                                                                                               | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
-| Pipeline passed with warnings        | Info            | [Pipeline results](../../../ci/pipelines/index.md)                                      | The merge request pipeline passed with warnings and was merged.                                                                                                                                  | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
-| Code coverage down more than 10%     | High            | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results)  | The code coverage report for the merge request indicates a reduction in coverage of more than 10%.                                                                                               | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
-| Code coverage down between 5% to 10% | Medium          | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results)  | The code coverage report for the merge request indicates a reduction in coverage of between 5% to 10%.                                                                                           | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
-| Code coverage down between 1% to 5%  | Low             | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results)  | The code coverage report for the merge request indicates a reduction in coverage of between 1% to 5%.                                                                                            | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
-| Code coverage down less than 1%      | Info            | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results)  | The code coverage report for the merge request indicates a reduction in coverage of less than 1%.                                                                                                | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |

ee/app/assets/javascripts/approvals/components/group_settings/app.vue

@@ -28,7 +28,7 @@ export default {
   links: {
     groupSettingsDocsPath: helpPagePath('user/project/merge_requests/approvals/index.md'),
     separationOfDutiesDocsPath: helpPagePath('user/compliance/compliance_report/index', {
-      anchor: 'approval-status-and-separation-of-duties',
+      anchor: 'separation-of-duties',
     }),
   },
   i18n: {

ee/app/assets/javascripts/compliance_dashboard/compliance_dashboard_bundle.js

 import Vue from 'vue';
 import VueApollo from 'vue-apollo';
 import createDefaultClient from '~/lib/graphql';
-import { parseBoolean } from '~/lib/utils/common_utils';
-import ComplianceDashboard from './components/dashboard.vue';
 import ComplianceReport from './components/report.vue';
 import { buildDefaultFilterParams } from './utils';
 
 export default () => {
   const el = document.getElementById('js-compliance-report');
 
-  const {
-    mergeRequests,
-    emptyStateSvgPath,
-    isLastPage,
-    mergeCommitsCsvExportPath,
-    groupPath,
-  } = el.dataset;
+  const { mergeCommitsCsvExportPath, groupPath } = el.dataset;
 
-  if (gon.features.complianceViolationsReport) {
-    Vue.use(VueApollo);
+  Vue.use(VueApollo);
 
-    const apolloProvider = new VueApollo({
-      defaultClient: createDefaultClient(),
-    });
-
-    const defaultFilterParams = buildDefaultFilterParams(window.location.search);
+  const apolloProvider = new VueApollo({
+    defaultClient: createDefaultClient(),
+  });
 
-    return new Vue({
-      el,
-      apolloProvider,
-      render: (createElement) =>
-        createElement(ComplianceReport, {
-          props: {
-            mergeCommitsCsvExportPath,
-            groupPath,
-            defaultFilterParams,
-          },
-        }),
-    });
-  }
+  const defaultFilterParams = buildDefaultFilterParams(window.location.search);
 
   return new Vue({
     el,
+    apolloProvider,
     render: (createElement) =>
-      createElement(ComplianceDashboard, {
+      createElement(ComplianceReport, {
         props: {
-          mergeRequests: JSON.parse(mergeRequests),
-          isLastPage: parseBoolean(isLastPage),
-          emptyStateSvgPath,
           mergeCommitsCsvExportPath,
+          groupPath,
+          defaultFilterParams,
         },
       }),
   });

ee/app/assets/javascripts/compliance_dashboard/components/dashboard.vue

@@ -8,7 +8,7 @@ import { mapDashboardToDrawerData } from '../utils';
 import MergeRequestDrawer from './drawer.vue';
 import EmptyState from './empty_state.vue';
 import MergeRequestsGrid from './merge_requests/grid.vue';
-import MergeCommitsExportButton from './merge_requests/merge_commits_export_button.vue';
+import MergeCommitsExportButton from './shared/merge_commits_export_button.vue';
 
 export default {
   name: 'ComplianceDashboard',

ee/app/assets/javascripts/compliance_dashboard/components/merge_requests/statuses/approval.vue

 <script>
 import { GlLink, GlTooltipDirective } from '@gitlab/ui';
-
+import { helpPagePath } from '~/helpers/help_page_helper';
 import { s__ } from '~/locale';
 import CiIcon from '~/vue_shared/components/ci_icon.vue';
 
@@ -40,13 +40,14 @@ export default {
     warning: s__('ApprovalStatusTooltip|At least one rule does not adhere to separation of duties'),
     failed: s__('ApprovalStatusTooltip|Fails to adhere to separation of duties'),
   },
+  docLink: helpPagePath('user/compliance/compliance_report/index', {
+    anchor: 'separation-of-duties',
+  }),
 };
 </script>
 
 <template>
-  <gl-link
-    href="https://docs.gitlab.com/ee/user/compliance/compliance_report/#approval-status-and-separation-of-duties"
-  >
+  <gl-link :href="$options.docLink">
     <ci-icon v-gl-tooltip.left="tooltip" class="gl-display-flex" :status="{ icon, group }" />
   </gl-link>
 </template>

ee/app/assets/javascripts/compliance_dashboard/components/report.vue

@@ -12,7 +12,7 @@ import getComplianceViolationsQuery from '../graphql/compliance_violations.query
 import { mapViolations } from '../graphql/mappers';
 import { DEFAULT_SORT, GRAPHQL_PAGE_SIZE, DEFAULT_PAGINATION_CURSORS } from '../constants';
 import { parseViolationsQueryFilter } from '../utils';
-import MergeCommitsExportButton from './merge_requests/merge_commits_export_button.vue';
+import MergeCommitsExportButton from './shared/merge_commits_export_button.vue';
 import MergeRequestDrawer from './drawer.vue';
 import ViolationReason from './violations/reason.vue';
 import ViolationFilter from './violations/filter.vue';
@@ -209,9 +209,7 @@ export default {
     next: __('Next'),
     viewDetailsBtn: __('View details'),
   },
-  documentationPath: helpPagePath('user/compliance/compliance_report/index.md', {
-    anchor: 'approval-status-and-separation-of-duties',
-  }),
+  documentationPath: helpPagePath('user/compliance/compliance_report/index.md'),
   DRAWER_Z_INDEX,
 };
 </script>

ee/app/controllers/groups/security/compliance_dashboards_controller.rb

@@ -6,9 +6,6 @@ class Groups::Security::ComplianceDashboardsController < Groups::ApplicationCont
   layout 'group'
 
   before_action :authorize_compliance_dashboard!
-  before_action do
-    push_frontend_feature_flag(:compliance_violations_report, @group, type: :development, default_enabled: :yaml)
-  end
 
   track_redis_hll_event :show, name: 'g_compliance_dashboard'
 

ee/app/models/concerns/enums/merge_requests/compliance_violation.rb

@@ -4,7 +4,7 @@ module Enums
   module MergeRequests
     module ComplianceViolation
       # Reasons are defined by GitLab in our public documentation.
-      # https://docs.gitlab.com/ee/user/compliance/compliance_dashboard/#approval-status-and-separation-of-duties
+      # https://docs.gitlab.com/ee/user/compliance/compliance_dashboard/#separation-of-duties
       def self.reasons
         {
           ::Gitlab::ComplianceManagement::Violations::ApprovedByMergeRequestAuthor::REASON => 0,

ee/app/views/admin/push_rules/_merge_request_approvals.html.haml

@@ -6,7 +6,7 @@
     %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
       = expanded_by_default? ? _('Collapse') : _('Expand')
     %p
-      - duties_link_url = help_page_path('user/compliance/compliance_report/index', anchor: 'approval-status-and-separation-of-duties')
+      - duties_link_url = help_page_path('user/compliance/compliance_report/index', anchor: 'separation-of-duties')
       - link_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: duties_link_url }
       = s_('MergeRequestApprovals|Enforce %{link_start}separation of duties%{link_end} for all projects.').html_safe % { link_start: link_start, link_end: '</a>'.html_safe }
       = link_to _("Learn more."), help_page_path("user/project/merge_requests/approvals/index.md"), target: '_blank', rel: 'noopener noreferrer'

ee/app/views/projects/_merge_request_approvals_settings.html.haml

@@ -6,7 +6,7 @@
     %h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only= _('Merge request approvals')
     %button.gl-button.btn.btn-default.js-settings-toggle{ type: 'button' }= expanded ? _("Collapse") : _("Expand")
     %p
-      - duties_link_url = help_page_path('user/compliance/compliance_report/index', anchor: 'approval-status-and-separation-of-duties')
+      - duties_link_url = help_page_path('user/compliance/compliance_report/index', anchor: 'separation-of-duties')
       - link_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: duties_link_url }
       = s_('MergeRequestApprovals|Define approval rules and settings to ensure %{link_start}separation of duties%{link_end} for new merge requests.').html_safe % { link_start: link_start, link_end: '</a>'.html_safe }
       = link_to _("Learn more."), help_page_path("user/project/merge_requests/approvals/index.md"), target: '_blank', rel: 'noopener noreferrer'

ee/config/feature_flags/development/compliance_violations_report.yml

----
-name: compliance_violations_report
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/75015
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/346266
-milestone: '14.6'
-type: development
-group: group::compliance
-default_enabled: false

ee/lib/gitlab/compliance_management/violations/approved_by_insufficient_users.rb

@@ -8,7 +8,7 @@ module Gitlab
         SEVERITY_LEVEL = :high
 
         # The minimum number of approvers is defined by GitLab in our public documentation.
-        # https://docs.gitlab.com/ee/user/compliance/compliance_dashboard/#approval-status-and-separation-of-duties
+        # https://docs.gitlab.com/ee/user/compliance/compliance_dashboard/#separation-of-duties
         MINIMUM_NUMBER_OF_APPROVERS = 2
 
         def initialize(merge_request)

ee/spec/features/groups/security/compliance_dashboards_spec.rb

@@ -36,109 +36,70 @@ RSpec.describe 'Compliance Dashboard', :js do
     stub_licensed_features(group_level_compliance_dashboard: true)
     group.add_owner(user)
     sign_in(user)
+    visit group_security_compliance_dashboard_path(group)
   end
 
-  context 'when compliance_violations_report feature is disabled' do
-    before do
-      stub_feature_flags(compliance_violations_report: false)
-      visit group_security_compliance_dashboard_path(group)
+  it 'shows the violations report table', :aggregate_failures do
+    page.within('table') do
+      expect(page).to have_content 'Severity'
+      expect(page).to have_content 'Violation'
+      expect(page).to have_content 'Merge request'
+      expect(page).to have_content 'Date merged'
     end
+  end
 
-    context 'when there are no merge requests' do
-      it 'shows an empty state' do
-        expect(page).to have_selector('.empty-state')
-      end
-    end
-
-    context 'when there are merge requests' do
-      let_it_be(:merge_request) { create(:merge_request, source_project: project, state: :merged, merge_commit_sha: 'b71a6483b96dc303b66fdcaa212d9db6b10591ce') }
-      let_it_be(:merge_request_2) { create(:merge_request, source_project: project_2, state: :merged, merge_commit_sha: '24327319d067f4101cd3edd36d023ab5e49a8579') }
-
-      before_all do
-        create(:event, :merged, project: project, target: merge_request, author: user, created_at: 10.minutes.ago)
-        create(:event, :merged, project: project_2, target: merge_request_2, author: user, created_at: 15.minutes.ago)
-      end
-
-      it 'shows merge requests with details' do
-        expect(page).to have_link(merge_request.title)
-        expect(page).to have_content('merged 10 minutes ago')
-        expect(page).to have_content('no approvers')
-      end
-
-      context 'chain of custody report' do
-        it_behaves_like 'exports a merge commit-specific CSV'
-      end
+  context 'when there are no compliance violations' do
+    it 'shows an empty state' do
+      expect(page).to have_content('No violations found')
     end
   end
 
-  context 'when compliance_violations_report feature is enabled' do
-    before do
-      stub_feature_flags(compliance_violations_report: true)
-      visit group_security_compliance_dashboard_path(group)
-    end
+  context 'when there are merge requests' do
+    let_it_be(:merge_request) { create(:merge_request, source_project: project, state: :merged, merge_commit_sha: 'b71a6483b96dc303b66fdcaa212d9db6b10591ce') }
+    let_it_be(:merge_request_2) { create(:merge_request, source_project: project_2, state: :merged, merge_commit_sha: '24327319d067f4101cd3edd36d023ab5e49a8579') }
 
-    it 'shows the violations report table', :aggregate_failures do
-      page.within('table') do
-        expect(page).to have_content 'Severity'
-        expect(page).to have_content 'Violation'
-        expect(page).to have_content 'Merge request'
-        expect(page).to have_content 'Date merged'
-      end
+    context 'chain of custody report' do
+      it_behaves_like 'exports a merge commit-specific CSV'
     end
 
-    context 'when there are no compliance violations' do
-      it 'shows an empty state' do
-        expect(page).to have_content('No violations found')
-      end
-    end
-
-    context 'when there are merge requests' do
-      let_it_be(:merge_request) { create(:merge_request, source_project: project, state: :merged, merge_commit_sha: 'b71a6483b96dc303b66fdcaa212d9db6b10591ce') }
-      let_it_be(:merge_request_2) { create(:merge_request, source_project: project_2, state: :merged, merge_commit_sha: '24327319d067f4101cd3edd36d023ab5e49a8579') }
+    context 'and there is a compliance violation' do
+      let_it_be(:violation) { create(:compliance_violation, :approved_by_committer, severity_level: :high, merge_request: merge_request, violating_user: user) }
+      let_it_be(:violation_2) { create(:compliance_violation, :approved_by_merge_request_author, severity_level: :medium, merge_request: merge_request_2, violating_user: user) }
 
-      context 'chain of custody report' do
-        it_behaves_like 'exports a merge commit-specific CSV'
+      before do
+        merge_request.metrics.update!(merged_at: 1.day.ago)
+        merge_request_2.metrics.update!(merged_at: 7.days.ago)
+        wait_for_requests
       end
 
-      context 'and there is a compliance violation' do
-        let_it_be(:violation) { create(:compliance_violation, :approved_by_committer, severity_level: :high, merge_request: merge_request, violating_user: user) }
-        let_it_be(:violation_2) { create(:compliance_violation, :approved_by_merge_request_author, severity_level: :medium, merge_request: merge_request_2, violating_user: user) }
+      it 'shows the compliance violations with details', :aggregate_failures do
+        expect(all('tbody > tr').count).to eq(2)
 
-        before do
-          merge_request.metrics.update!(merged_at: 1.day.ago)
-          merge_request_2.metrics.update!(merged_at: 7.days.ago)
-          wait_for_requests
-        end
+        expect(first_row).to have_content('High')
+        expect(first_row).to have_content('Approved by committer')
+        expect(first_row).to have_content(merge_request.title)
+        expect(first_row).to have_content('1 day ago')
+      end
 
-        it 'shows the compliance violations with details', :aggregate_failures do
-          expect(all('tbody > tr').count).to eq(2)
+      it 'can sort the violations by clicking on a column header' do
+        click_column_header 'Severity'
 
-          expect(first_row).to have_content('High')
-          expect(first_row).to have_content('Approved by committer')
-          expect(first_row).to have_content(merge_request.title)
-          expect(first_row).to have_content('1 day ago')
-        end
+        expect(first_row).to have_content(merge_request_2.title)
+      end
 
-        it 'can sort the violations by clicking on a column header' do
-          click_column_header 'Severity'
+      context 'violations filter' do
+        it 'can filter by date range' do
+          set_date_range(7.days.ago.to_date, 6.days.ago.to_date)
 
-          expect(first_row).to have_content(merge_request_2.title)
+          expect(page).to have_content(merge_request_2.title)
+          expect(page).not_to have_content(merge_request.title)
         end
 
-        context 'violations filter' do
-          it 'can filter by date range' do
-            set_date_range(7.days.ago.to_date, 6.days.ago.to_date)
-
-            expect(page).to have_content(merge_request_2.title)
-            expect(page).not_to have_content(merge_request.title)
-          end
+        it 'can filter by project id' do
+          filter_by_project(merge_request_2.project)
 
-          it 'can filter by project id' do
-            filter_by_project(merge_request_2.project)
-
-            expect(page).to have_content(merge_request_2.title)
-            expect(page).not_to have_content(merge_request.title)
-          end
+          expect(page).to have_content(merge_request_2.title)
+          expect(page).not_to have_content(merge_request.title)
         end
       end
     end

ee/spec/frontend/approvals/components/group_settings/app_spec.js

@@ -70,7 +70,7 @@ describe('EE Approvals Group Settings App', () => {
 
   it.each`
     findComponent          | text                      | href
-    ${findDescriptionLink} | ${'separation of duties'} | ${'/help/user/compliance/compliance_report/index#approval-status-and-separation-of-duties'}
+    ${findDescriptionLink} | ${'separation of duties'} | ${'/help/user/compliance/compliance_report/index#separation-of-duties'}
     ${findLearnMoreLink}   | ${'Learn more.'}          | ${'/help/user/project/merge_requests/approvals/index.md'}
   `('has the correct link for $text', ({ findComponent, text, href }) => {
     createWrapper();

ee/spec/frontend/compliance_dashboard/components/dashboard_spec.js

@@ -6,7 +6,7 @@ import { nextTick } from 'vue';
 import ComplianceDashboard from 'ee/compliance_dashboard/components/dashboard.vue';
 import MergeRequestDrawer from 'ee/compliance_dashboard/components/drawer.vue';
 import MergeRequestGrid from 'ee/compliance_dashboard/components/merge_requests/grid.vue';
-import MergeCommitsExportButton from 'ee/compliance_dashboard/components/merge_requests/merge_commits_export_button.vue';
+import MergeCommitsExportButton from 'ee/compliance_dashboard/components/shared/merge_commits_export_button.vue';
 import { COMPLIANCE_TAB_COOKIE_KEY } from 'ee/compliance_dashboard/constants';
 import { mapDashboardToDrawerData } from 'ee/compliance_dashboard/utils';
 import { createMergeRequests } from '../mock_data';

ee/spec/frontend/compliance_dashboard/components/merge_requests/statuses/approval_spec.js

@@ -33,8 +33,8 @@ describe('ApprovalStatus component', () => {
     });
 
     it('links to the approval status', () => {
-      expect(findLink().attributes('href')).toEqual(
-        'https://docs.gitlab.com/ee/user/compliance/compliance_report/#approval-status-and-separation-of-duties',
+      expect(findLink().attributes('href')).toBe(
+        '/help/user/compliance/compliance_report/index#separation-of-duties',
       );
     });
 

ee/spec/frontend/compliance_dashboard/components/report_spec.js

@@ -6,7 +6,7 @@ import * as Sentry from '@sentry/browser';
 import { extendedWrapper } from 'helpers/vue_test_utils_helper';
 import ComplianceReport from 'ee/compliance_dashboard/components/report.vue';
 import MergeRequestDrawer from 'ee/compliance_dashboard/components/drawer.vue';
-import MergeCommitsExportButton from 'ee/compliance_dashboard/components/merge_requests/merge_commits_export_button.vue';
+import MergeCommitsExportButton from 'ee/compliance_dashboard/components/shared/merge_commits_export_button.vue';
 import ViolationReason from 'ee/compliance_dashboard/components/violations/reason.vue';
 import ViolationFilter from 'ee/compliance_dashboard/components/violations/filter.vue';
 import getComplianceViolationsQuery from 'ee/compliance_dashboard/graphql/compliance_violations.query.graphql';
@@ -125,9 +125,7 @@ describe('ComplianceReport component', () => {
         'The compliance report shows the merge request violations merged in protected environments.',
       );
       expect(helpLink.text()).toBe('Learn more.');
-      expect(helpLink.attributes('href')).toBe(
-        '/help/user/compliance/compliance_report/index.md#approval-status-and-separation-of-duties',
-      );
+      expect(helpLink.attributes('href')).toBe('/help/user/compliance/compliance_report/index.md');
     });
 
     it('renders the merge commit export button', () => {

ee/spec/frontend/compliance_dashboard/components/merge_requests/merge_commits_export_button_spec.js → ee/spec/frontend/compliance_dashboard/components/shared/merge_commits_export_button_spec.js

 import { GlFormInput, GlForm, GlFormGroup } from '@gitlab/ui';
 import { mount, shallowMount } from '@vue/test-utils';
 
-import MergeCommitsExportButton from 'ee/compliance_dashboard/components/merge_requests/merge_commits_export_button.vue';
+import MergeCommitsExportButton from 'ee/compliance_dashboard/components/shared/merge_commits_export_button.vue';
 import { INPUT_DEBOUNCE, CUSTODY_REPORT_PARAMETER } from 'ee/compliance_dashboard/constants';
 
 const CSV_EXPORT_PATH = '/merge_commit_reports';

ee/spec/frontend/compliance_dashboard/graphql/mappers_spec.js

@@ -4,11 +4,19 @@ import { createComplianceViolation } from '../mock_data';
 
 describe('mapViolations', () => {
   it('returns the expected result', () => {
-    const { mergeRequest } = mapViolations([createComplianceViolation()])[0];
+    const violation = createComplianceViolation();
+    const { mergeRequest } = mapViolations([violation])[0];
 
     expect(mergeRequest).toMatchObject({
+      committers: [],
+      approvedByUsers: [],
+      participants: violation.mergeRequest.participants.nodes,
       reference: mergeRequest.ref,
       mergedBy: convertObjectPropsToSnakeCase(mergeRequest.mergeUser),
+      project: {
+        ...violation.project,
+        complianceFramework: violation.mergeRequest.project?.complianceFrameworks?.nodes[0],
+      },
     });
   });
 });