Skip to content

BE: Add info/error messages to security widget summary

Why are we doing this work

We want to provide details about failed jobs in the security MR widget. There are currently 3 identified scenarios:

  1. User's source branch is behind the target branch
  2. User enables security scanners after source branch was created
  3. User's target branch security report is out of date

The *_reports endpoints (e.g.: https://staging.gitlab.com/defend-team-test/security-reports/-/merge_requests/3/sast_reports) only provide one of these, so they need to be updated to cover all scenarios.

Relevant links

Non-functional requirements

  • Future-proofing. If other error scenarios are identified, it would be helpful if they could be exposed to the user without having to modify both the backend and the frontend.
  • Documentation: Update GraphQL docs
  • Performance:
  • Testing:

Implementation plan

  • backend Extend GraphQL MergeRequestType with 3 new fields and corresponding methods:
    • divergedFromTargetBranch as merge_request.diverged_from_target_branch? !53759 (merged)
    • hasSecurityReports as merge_request.has_security_reports? 
        def has_security_reports?
    has_dependency_scanning_reports? || has_license_scanning_reports? || has_container_scanning_reports? || has_sast_reports? || has_secret_detection_reports? || has_dast_reports? || has_coverage_fuzzing_reports? || has_api_fuzzing_reports?
  end
    • securityReportsUpToDateOnTargetBranch as merge_request.security_reports_up_to_date? 
        def security_reports_up_to_date?
    project.latest_pipeline_with_security_reports(only_successful: true) != project.ci_pipelines.latest_successful_for_ref(target_branch)
  end

Based on values provided in GraphQL we will show error message on frontend:

When divergedFromTargetBranch is true => Screen_Shot_2020-11-17_at_8.33.46_PM

When hasSecurityReports is false and securityReportsUpToDate? is `true => Screen_Shot_2020-11-17_at_8.33.56_PM

When securityReportsUpToDate? is false => Screen_Shot_2020-11-17_at_8.34.04_PM

Failed jobs query

Warning message about failed jobs can be already received from GraphQL response:

query {
  project(fullPath: "gitlab-org/gitlab") {
    mergeRequest(iid: "47894") {
      headPipeline {
        jobs(securityReportTypes: [SAST, DAST, DEPENDENCY_SCANNING, CONTAINER_SCANNING, SECRET_DETECTION, COVERAGE_FUZZING, API_FUZZING]) {
          nodes {
            name
            detailedStatus {
              text
            }
          }
        }
      }
    }
  }
}

image

Edited by Mark Florian