Sorting Security Vulnerabilities by state is broken, potentially unnecessary?
Summary
Attempting to query Vulnerabilities with a state_desc or state_asc does neither, as the default behaviour is to sort by severity_desc if the provided sort is not supported, even though it does appear in the GraphQL API documentation for vulnerability sorting.
Steps to reproduce
- Navigate to https://gitlab.com/-/graphql-explorer
- Execute the following GraphQL queries:
{
project(fullPath:"gitlab-org/gitlab") {
vulnerabilities(first: 5, sort: state_desc) {
nodes {
id
state
}
pageInfo {
endCursor
}
}
}
}{
project(fullPath:"gitlab-org/gitlab") {
vulnerabilities(first: 5, sort: state_asc) {
nodes {
id
state
}
pageInfo {
endCursor
}
}
}
}- Note how the returned results disregard the state ordering, as it defaults to the
severity_descdefault.
What is the current bug behavior?
Sorting by state is ignored, defaulting to ordering by severity.
What is the expected correct behavior?
Either that the api correctly sorts by state, or that we opt to not implement sorting by state and remove it from the documentation.
Output of checks
This bug happens on GitLab.com.
Possible fixes
https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/models/vulnerabilities/read.rb#L55
Vulnerability::Read implementation does not currently support sorting by state in it's order_by method. However, the changes required to make this possible are extremely no arbitrary due to complexity involved in allowing the Vulnerability::Read model to masquerade as Vulnerability in the vulnerability api's. Some context regarding this complexity can be seen on !84341 (merged).
Implementation plan
-
Mark argument :stateinee/app/graphql/resolvers/vulnerabilities_resolver.rbas deprecated -
Update doc/update/deprecations.mdto mark this change as breaking, feature as deprecated and indicate removal in %16.0