[BE] Add public api endpoint for MR Vulnerability Findings
Context:
We need to expose Merge Request Vulnerability Findings that show added
and fixed
findings via the public GraphQL endpoint
Problem
We surface this already via the https://gitlab.com/fernando-c/test-vs-code-security-reports/-/merge_requests/1/security_reports?type=container_scanning
REST endpoint. Except that it is an internal api and does not accept an AUTH token to be used externally by third party apps like our own gitlab vs-code extension.
frontend
Proposed Query fromquery getMRSecurityReport {
project(fullPath: "development/static-reports/pipeline-security-tab-test-project") {
mergeRequest(iid: "5") {
title
hasSecurityReports
findingReportsComparer(reportType: SAST) {
status
report {
headReportCreatedAt
baseReportCreatedAt
baseReportOutOfDate
added {
uuid
title
description
severity
}
fixed {
uuid
title
description
severity
}
}
}
}
}
}
Fields we need to populate in the UI (ignore policy violation related UI)
Important distinction between Pipeline vs. MR Vulnerability findings.
We have 2 contexts for findings that are relevant.
Pipeline Vulnerability Findings - The Pipeline -> Security tab will show ALL findings detected from scanning a single branch. (The whole project).
Endpoint:
https://gitlab.com/api/v4/projects/45253767/vulnerability_findings?pipeline_id=840217168&scope=dismissed&t=1681827783839
URL that is used in the https://gitlab.com/fernando-c/test-vs-code-security-reports/-/pipelines/840217168/security page shows us all findings found in a pipeline.
MR Vulnerability Findings - It is the outcome of comparing ALL findings in a pipeline run for a source branch, relative to all findings in a target branch. (master/main). Essentially this is a diff. It will show added
or fixed
findings.
Endpoint:
https://gitlab.com/fernando-c/test-vs-code-security-reports/-/merge_requests/1/security_reports?type=container_scanning
Related Work that doesn't solve the problem
Pipeline Security Tab GraphQL migration: add missing data and actions to the listing (&8478 (closed)) - This work captures migrating the existing Pipeline Findings REST endpoint to graphql.
Why it doesn't solve the problem: It still returns all findings in a pipeline, which is not what we want. We want to only see added/fixed findings in context of a MR that compares a source/target branch.
Backend - Include SAST findings in inline diff view (#389867 (closed))
Why it doesn't solve the problem: This work is centered around providing visual cues on specific line numbers within the MR Changes tab to show what line number triggered a finding to be created and flagged.
#344467 (closed) (comment 1379122551)
Testing
-
Add appropriate GraphQl Api spec