GraphQL Vulnerability query not returning issue links correctly
Summary
The vulnerability GraphQL query doesn't always return issues linked to the vulnerability. A workaround is to call the REST API for issues linked to vulnerabilities.
Steps to reproduce
- Browse to this vulnerability and notice it has a linked issue.
- Using the GitLab GraphQL Explorer, run the following query:
query
{
vulnerability(id: "gid://gitlab/Vulnerability/62627763")
{
id
title
severity
state
reportType
resolvedOnDefaultBranch
issueLinks {
nodes {
issue {
id,
webUrl
}
}
}
}
}- Notice the
issueLinkssection has no nodes. - Execute the following REST API (GET) call and notice it returns the correct results
https://gitlab.com/api/v4/vulnerabilities/62627763/issue_links
Example Project
What is the current bug behavior?
When querying vulnerabilities using the GraphQL Vulnerability query, issues linked to the vulnerability are not returned.
What is the expected correct behavior?
When querying vulnerabilities that have linked issues, the query result correctly includes all linked issues.
Relevant logs and/or screenshots
Query:
query
{
vulnerability(id: "gid://gitlab/Vulnerability/62627763")
{
id
title
severity
state
reportType
resolvedOnDefaultBranch
issueLinks {
nodes {
issue {
id,
webUrl
}
}
}
}
}Response:
{
"data": {
"vulnerability": {
"id": "gid://gitlab/Vulnerability/62627763",
"title": "CVE-2022-3715 in bash-4.4.20-4.el8_6",
"severity": "MEDIUM",
"state": "RESOLVED",
"reportType": "CONTAINER_SCANNING",
"resolvedOnDefaultBranch": true,
"issueLinks": {
"nodes": []
}
}
}
}REST API:
GET https://gitlab.com/api/v4/vulnerabilities/62627763/issue_links
[{"id":117895299,"iid":380292,"project_id":278964,"title":"CVE-2022-3715 in bash-4.4.20-4.el8_6","description":"Issue created from vulnerability [62627763](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/security/vulnerabilities/62627763)\n\n### Description\n\n\u003cp data-sourcepos=\"1:1-1:41\" dir=\"auto\"\u003eNo description is available for this CVE.\u003c/p\u003e\n\n- Severity: Medium\n- Project: [GitLab.org / security-products / analyzers / gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium)\n- Tool: Container_scanning\n- Scanner: Trivy\n\n\n ### Location\n \n - Image: registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/main:7a7897fc9926e4ada33d782afcf38d53a6e472e1-fips\n \n\n \n - Namespace: redhat 8.6\n \n\n\n### Identifier\n- [CVE-2022-3715](https://access.redhat.com/security/cve/CVE-2022-3715)","state":"opened","created_at":"2022-10-31T20:29:56.174Z","updated_at":"2023-03-02T02:14:35.516Z","closed_at":null,"closed_by":null,"labels":["Category:Container Scanning","FedRAMP::Vulnerability","OS::RHEL 8","SLA::Breached","Vulnerability Impact::Scan Severity::Medium","Vulnerability Impact::Vendor Severity::Medium","Vulnerability::Vendor Package::Fix Available","[deprecated] Accepting merge requests","bug::vulnerability","devops::secure","group::composition analysis","priority::3","section::sec","security","security_auto_triage","severity::3","type::bug","vulnmapper"],"milestone":{"id":490705,"iid":14,"group_id":9970,"title":"Backlog","description":"Issues that we want to do but are not planned right now. Open for contribution from the community.","state":"active","created_at":"2018-03-22T13:09:23.767Z","updated_at":"2018-10-30T14:56:54.069Z","due_date":null,"start_date":null,"expired":false,"web_url":"https://gitlab.com/groups/gitlab-org/-/milestones/14"},"assignees":[],"author":{"id":1378158,"username":"brytannia","name":"Tetiana Chupryna","state":"active","avatar_url":"https://gitlab.com/uploads/-/system/user/avatar/1378158/avatar.png","web_url":"https://gitlab.com/brytannia"},"type":"ISSUE","assignee":null,"user_notes_count":3,"merge_requests_count":0,"upvotes":0,"downvotes":0,"due_date":"2023-01-26","confidential":true,"discussion_locked":null,"issue_type":"issue","web_url":"https://gitlab.com/gitlab-org/gitlab/-/issues/380292","time_stats":{"time_estimate":0,"total_time_spent":0,"human_time_estimate":null,"human_total_time_spent":null},"task_completion_status":{"count":0,"completed_count":0},"weight":null,"blocking_issues_count":0,"vulnerability_link_id":333150,"vulnerability_link_type":"related"}]Output of checks
/label reproduced on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)
Possible fixes
This issue seems to occur when linking a vulnerability on a project with issues disabled (under Settings -> General -> Visibility, project features, permissions) to an issue on a different project.
The Vulnerabilities::IssueLinkPolicy is delegating to the issuelink.vulnerability.project. Because that project does not have issues enabled the :read_issue permission gets removed.
A possible fix is to delegate to issuelink.issue.project instead.