Technical Spike: Define GraphQL schema to support migration for Pipeline Security Tab
Time-box: 3 days
Problem to solve
In order to complete the migration from HAML-data to GraphQL on the vulnerability details page, we need to add a set of fields to the GraphQL schema for the PipelineSecurityReportFinding
type.
To speed up the communcation process between frontend and backend, the frontend should come up with a schema-proposal that captures all missing fields and structures them in a way, which will help to migrate the related UI-components easily.
Note: Migration-work has already started and is currently behind a feature flag. Run the following command to enable it.
echo "Feature.enable(:pipeline_security_dashboard_graphql)" | rails c
Proposed steps
-
Set up a project that contains a setup for apollo-server
: https://gitlab.com/dpisek/vulnerability-graphql-mock/-/tree/pipeline-finding -
Configure the local environment to query the mock-server: !76635 (closed) -
Change the pipeline security tab to fetch from the mock endpoint: !76635 (closed) -
Create and experiment with a schema -
Propose fields, queries and mutations for discussion
Desired outcome
- Schema proposal, which can be a base for a discussion with the backend
- Agree on final schema
Outcome
Resources
- MR which configures the details page to fetch from the mock server: !76635 (closed)
- Mock Server: https://gitlab.com/dpisek/vulnerability-graphql-mock
Findings
API Needs
Schema Proposal
type VulnerabilityGenericReportCode {
value: String!
}
type VulnerabilityGenericReportCommit {
value: String!
}
type VulnerabilityGenericReportDiff {
before: String!
after: String!
}
type VulnerabilityGenericReportFileLocation {
fileName: String!
lineStart: Number!
lineEnd: Number
}
type VulnerabilityGenericReportMarkDown {
value: String!
}
type VulnerabilityGenericReportModuleLocation {
moduleName: String!
offset: Number!
}
union VulnerabilityGenericReportType = VulnerabilityGenericReportCode | VulnerabilityGenericReportCommit | VulnerabilityGenericReportDiff | VulnerabilityGenericReportFileLocation | VulnerabilityGenericReportList | VulnerabilityGenericReportMarkDown | VulnerabilityGenericReportModuleLocation | VulnerabilityGenericReportNamedListItem | VulnerabilityGenericReportNamedList | VulnerabilityGenericReportTable | VulnerabilityGenericReportUrl | VulnerabilityGenericReportValue
type VulnerabilityGenericReportList {
items: [VulnerabilityGenericReportType!]!
}
type VulnerabilityGenericReportNamedListItem {
label: String!
name: String!
values: [VulnerabilityGenericReportType!]!
}
type VulnerabilityGenericReportNamedList {
items: [VulnerabilityGenericReportNamedListItem!]!
}
type VulnerabilityGenericReportTable {
headers: [VulnerabilityGenericReportType!]!
# NOTE: rows is a list of lists
rows: [[VulnerabilityGenericReportType!]!]!
}
type VulnerabilityGenericReportUrl {
href: String!
}
union VulnerabilityGenericReportValueType = String | Number | Boolean
type VulnerabilityGenericReportValue {
value: VulnerabilityGenericReportValueType!
}
# Not sure how to name all of these types, will need to agree on that 🤔
type VulnerabilityGenericReport {
code: VulnerabilityGenericReportCode
commit: VulnerabilityGenericReportCommit
diff: VulnerabilityGenericReportDiff
fileLocation: VulnerabilityGenericReportFileLocation
list: VulnerabilityGenericReportList
markdown: VulnerabilityGenericReportMarkDown
moduleLocation: VulnerabilityGenericReportModuleLocation
namedList: VulnerabilityGenericReportNamedList
table: VulnerabilityGenericReportTable
url: VulnerabilityGenericReportUrl
value: VulnerabilityGenericReportValue
}
type VulnerabilityRequestResponseHeader {
name: String!
value: String!
}
type VulnerabilityRequest {
url: String!
body: String!
method: String!
url: String!
headers: [VulnerabilityRequestResponseHeader]!
}
type VulnerabilityResponse {
body: String!
statusCode: String!
reasonPhrase: String
headers: [VulnerabilityRequestResponseHeader]!
}
type VulnerabilityEvidenceSupportingMessage {
name: SupportingMessageType!
response: VulnerabilityResponse
}
extend type VulnerabilityLocationCoverageFuzzing{
crashState: String
}
extend type PipelineSecurityReportFinding {
descriptionHtml: String!
request: VulnerabilityRequest
response: VulnerabilityResponse
details: VulnerabilityGenericReport
}
Types
type | field(s) | added or changed | description | current issue |
---|---|---|---|---|
PipelineSecurityReportFinding |
discussions |
fields added | new field, should be the same as on the Vulnerability type (extending the NoteableInterface ) |
Add `discussions` field to `PipelineSecurityRep... (#360621 - closed) |
VulnerabilityEvidence |
summary: String supportingMessages: [VulnerabilityEvidenceSupportingMessage!] source: VulnerabilityEvidenceSource request: [VulnerabilityRequest!] response: [VulnerabilityResponse!]
|
type added | new evidence type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityEvidenceSupportingMessage |
name: VulnerabilityEvidenceSupportingMessageName! request: [VulnerabilityRequest!] response: [VulnerabilityResponse!]
|
type added | new evidence supporting message type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityEvidenceSource |
id: ID! name: String url: String
|
type added | new evidence source type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityRequestResponseHeader |
name: String value: String
|
type added | new request/response header type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityRequest |
body: String method: String url: String headers: [VulnerabilityRequestResponseHeader!]
|
type added | new request type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityResponse |
body: String statusCode: String reasonPhrase: String headers: [VulnerabilityRequestResponseHeader!]
|
type added | new response type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityAsset |
name: String url: String
|
type added | new asset type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityRemediation |
diff: [String!] |
type added | new remediation type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityLocationCoverageFuzzing |
crashType: String crashAddress: String stacktraceSnippet: String
|
fields added | new location coverage fuzzing fields | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityScanner |
url: String version: String
|
fields added | new scanner fields | Add GraphQL fields to support migration for Vul... (#356352) |
Vulnerability |
assets: [VulnerabilityAsset!] canModifyRelatedIssues: Boolean! createdAt: Time evidence: VulnerabilityEvidence pipeline: Pipeline relatedIssuesHelpPath: String remediations: [VulnerabilityRemediation!] solution: String
|
fields added | new vulnerability fields | Add GraphQL fields to support migration for Vul... (#356352) |
Queries
query | field(s) | added or changed | description | issue |
---|
Mutations
mutation | field(s) | added or changed | description | issue |
---|
Edited by David Pisek