Add GenericReport fields to `PipelineSecurityReportFinding` GraphQL type
Based on this spike #348282 (closed) we propose to add the generic report type fields captured in the schema below to the PipelineSecurityReportFinding
:
type VulnerabilityGenericReportCode {
value: String!
}
type VulnerabilityGenericReportCommit {
value: String!
}
type VulnerabilityGenericReportDiff {
before: String!
after: String!
}
type VulnerabilityGenericReportFileLocation {
fileName: String!
lineStart: Number!
lineEnd: Number
}
type VulnerabilityGenericReportMarkDown {
value: String!
}
type VulnerabilityGenericReportModuleLocation {
moduleName: String!
offset: Number!
}
union VulnerabilityGenericReportType = VulnerabilityGenericReportCode | VulnerabilityGenericReportCommit | VulnerabilityGenericReportDiff | VulnerabilityGenericReportFileLocation | VulnerabilityGenericReportList | VulnerabilityGenericReportMarkDown | VulnerabilityGenericReportModuleLocation | VulnerabilityGenericReportNamedListItem | VulnerabilityGenericReportNamedList | VulnerabilityGenericReportTable | VulnerabilityGenericReportUrl | VulnerabilityGenericReportValue
type VulnerabilityGenericReportList {
items: [VulnerabilityGenericReportType!]!
}
type VulnerabilityGenericReportNamedListItem {
label: String!
name: String!
values: [VulnerabilityGenericReportType!]!
}
type VulnerabilityGenericReportNamedList {
items: [VulnerabilityGenericReportNamedListItem!]!
}
type VulnerabilityGenericReportTable {
headers: [VulnerabilityGenericReportType!]!
# NOTE: rows is a list of lists
rows: [[VulnerabilityGenericReportType!]!]!
}
type VulnerabilityGenericReportUrl {
href: String!
}
union VulnerabilityGenericReportValueType = String | Number | Boolean
type VulnerabilityGenericReportValue {
value: VulnerabilityGenericReportValueType!
}
# Not sure how to name all of these types, will need to agree on that 🤔
type VulnerabilityGenericReport {
code: VulnerabilityGenericReportCode
commit: VulnerabilityGenericReportCommit
diff: VulnerabilityGenericReportDiff
fileLocation: VulnerabilityGenericReportFileLocation
list: VulnerabilityGenericReportList
markdown: VulnerabilityGenericReportMarkDown
moduleLocation: VulnerabilityGenericReportModuleLocation
namedList: VulnerabilityGenericReportNamedList
table: VulnerabilityGenericReportTable
url: VulnerabilityGenericReportUrl
value: VulnerabilityGenericReportValue
}
extend type PipelineSecurityReportFinding {
details: VulnerabilityGenericReport
}
This will make sure that the GraphQL API returns all the data that is currently showing within the pipeline finding's modal for the generic report type.
Implementation Plan
For each type, using a separate MR, do the following:
The Generic Report type may add some complexity here, so bumping it to a weight 3
Testing
-
Add graphql specs
Verification Steps
- Run the following GraphQL query on the security reports test project.
project(fullPath:"<project path>") {
pipeline(iid:"<pipeline iid>") {
securityReportFindings(scanner:"zaproxy") {
nodes {
uuid
details {
... on VulnerabilityDetailDiff {
before
after
}
}
}
}
}
}
- Run the following query on the corresponding Vulnerability (should be the
X-Frame-Options Header Not Set
DAST vulnerability)
vulnerability(id:"gid://gitlab/Vulnerability/<Vulnerability ID>") {
details {
... on VulnerabilityDetailDiff {
before
after
}
}
}
Edited by Jonathan Schafer