Add `vulnerability` in `PipelineSecurityReportFinding`
Why are we doing this work
As part of the GraphQL conversation of the Pipeline Security Report, we are adding comment-history entries to the pipeline security tab vulnerabilities modal. In order to fetch discussions and notes for a PipelineSecurityReportFinding
we need a VulnerabilityID!
field.
Based on this discussion, introducing the vulnerability
field for the PipelineSecurityReportFinding
is the decided approach. The value of the field can be NULL as the finding may not exist on the default branch but if it does, you can access the notes & discussions easily in one query.
This is also needed for the work done in Add issueLinks field to PipelineSecurityReportF... (#384867 - closed), so that we can pull the issues based on Vulnerabilities.
We want to add a vulnerability
field to the PipelineSecurityReportFinding
GraphQL type for use in the new security finding modals. This can also take an argument for the link type.
Example of new query:
query {
project(fullPath:"<project path>") {
pipeline(iid:"<pipeline iid>") {
securityReportFinding(uuid:"<uuid>") {
vulnerability {
<vulnerability fields>
}
}
}
}
}
Response data will be a Vulnerability
Relevant links
Non-functional requirements
-
Documentation: Update the GraphQL docs -
Testing: Add appropriate specs including query specs and N+1 specs
Implementation plan
-
backend Add field :vulnerability, type: VulnerabilityType, null: true
toee/app/graphql/types/pipeline_security_report_finding_type.rb
-
backend Write a proper description of :solution
field -
backend Adjust ee/spec/graphql/types/pipeline_security_report_finding_type_spec.rb
to account for newly added field
Verification steps
- Run a pipeline on a main branch of a project with vulnerabilities
- Run the following GraphQL query. You should see the vulnerability data
{
project(fullPath: "<project_path>") {
pipeline(iid: "1") {
id
securityReportFindings {
nodes {
title
uuid
vulnerability {
description
}
}
}
}
}
}