Expand filtering functionality of vulnerabilities GraphQL endpoint to support scanner ID

Why are we doing this work

Background

On the Vulnerability Report, there are filters that lets you filter the vulnerability list:

The filtered vulnerability list can be retrieved through 1 of 3 GraphQL endpoints:

• ee/app/assets/javascripts/security_dashboard/graphql/instance_vulnerabilities.graphql
• ee/app/assets/javascripts/security_dashboard/graphql/group_vulnerabilities.graphql
• ee/app/assets/javascripts/security_dashboard/graphql/project_vulnerabilities.query.graphql

Currently, these endpoints only supports filtering by AND'ing each property and OR'ing the property values. For example, this filter selection:

will pass these variables to the query:

which is run as the following pseudo-SQL:

SELECT * FROM vulnerabilities
WHERE reportType IN ('DAST', 'SAST')
AND severity IN ('CRITICAL', 'HIGH', 'MEDIUM')
AND state IN ('DETECTED', 'CONFIRMED')

Problem

The custom scanner filter feature needs to filter by a vendor - report type combination. This selection:

needs this SQL query:

SELECT * FROM vulnerabilities
WHERE (
  (vendor = 'GitLab' AND reportType IN ('DAST', 'Secret Detection'))
  OR (vendor = 'Custom Scanner' AND reportType IN ('SAST'))
)
AND other filters here

Proposal

Expand the scanners variable that allows us to pass a vendor and reportTypes:

{
  "scanners": [
    {
      "vendor": "GitLab",
      "reportTypes": ["DAST", "Secret Detection"]
    },
    {
      "vendor": "Custom Scanner",
      "reportTypes": ["SAST"]
    }
  ]
}

scanners will have implicit OR between items and each property in a scanner will be implicit AND:

(scanner[0].vendor AND scanner[0].reportTypes)
OR
(scanner[1].vendor AND scanner[1].reportTypes)
OR
-- more scanners here

UPDATE: This change will rely on the front end to pull the scanner ID for searching, due to the complexity of searching by vendor and report type combinations. The resulting query is too slow.

Relevant links

• Related Issue

Non-functional requirements

• Documentation: Update GraphQL documentation
• Performance: Ensure database performance with new filters
• Testing: Add specs for new queries

Implementation plan

• backend Add scanner_id field of VulnerabilityScannerType for vulnerability GraphQL queries
  • ee/app/assets/javascripts/security_dashboard/graphql/instance_vulnerabilities.graphql
  • ee/app/assets/javascripts/security_dashboard/graphql/group_vulnerabilities.graphql
  • ee/app/assets/javascripts/security_dashboard/graphql/project_vulnerabilities.query.graphql
• backend Update VulnerabilitiesResolver to take scanner_id as an argument
• backend Update VulnerabilitiesFinder to search for vulnerabilities based on scanner_id filters