vulnerability_findings API does not correctly filter on scanner parameter
Summary
When using the vulnerability findings REST API the scanner
attribute does not properly filter findings.
Steps to reproduce
Call vulnerability_findings
endpoint using scanner
attribute, inspect results
Example Project
What is the current bug behavior?
Note scanner=eslint
❯ curl -q --header "PRIVATE-TOKEN: ${GITLAB_API_TOKEN}" "https://gitlab.com/api/v4/projects/#{PROJECT_ID}/vulnerability_findings?report_type=sast&scanner=eslint" | jq 'map(.scanner.name)'
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 10791 0 10791 0 0 17461 0 --:--:-- --:--:-- --:--:-- 17461
[
"Gosec",
"Gosec",
"Gosec",
"Gosec",
"Gosec",
"Gosec"
]
What is the expected correct behavior?
Returned results should match scanner
parameter
Output of checks
This bug happens on GitLab.com
Implementation plan
-
Remove parameter from API -
Update documentation to remove scanner
param https://docs.gitlab.com/ee/api/vulnerability_findings.html#list-project-vulnerability-findings
Edited by Thiago Figueiró