securityReportFindings GraphQL resolver is unable to retrieve scanners
There seems to be a bug with the security report findings GraphQL resolver that we use to populate the pipeline vulnerability report. Here are some messages from Slack regarding this:
from @pgascouvaillancourt:
I’m looking into the securityReportFindings GraphQL query which supports a scanner field as well as a scanner filter. Filtering by a given scanner seems to be working, but the scanner field is always null. Here’s an example query that I ran against my GDK:
query pipelineFindings { project(fullPath: "twitter/Typeahead.Js") { id pipeline(iid: 19) { id securityReportFindings( scanner: "gemnasium" ) { nodes { title description scanner { name } } } } } }
This does return a few results, but no scanner is exposed in the response. Is there a known bug with the resolver? AFAICT, the REST API leverages the same finder (PipelineVulnerabilitiesFinder) but is able to return the related scanner for each vulnerability.
from @jschafer:
The problem appears to be in https://gitlab.com/gitlab-org/gitlab/-/master/ee/app/finders/security/pipeline_vulnerabilities_finder.rb where the scanners are pulled from the report without ids, and I think that's what is causing them to return with
nil
. Also #334488 has this code slated for removal.
Implementation Plan
-
backend Fix https://gitlab.com/gitlab-org/gitlab/-/master/ee/app/finders/security/pipeline_vulnerabilities_finder.rb where the scanners are pulled from the report without ids
Validation Steps
How to set up and validate locally
- Check out the master branch
- Make the following GraphQL call
query pipelineFindings {
project(fullPath: "gitlab-org/gitlab") {
pipeline(iid:"1313797") {
securityReportFindings(first:1) {
nodes {
scanner {
name
}
}
}
}
}
}
- The scanner should not be
null
{
"data": {
"project": {
"pipeline": {
"securityReportFindings": {
"nodes": [
{
"scanner": "<scanner name>"
}
]
}
}
}
}
}