Pipeline.securityReportFindings does not return all expected results
Summary
The Pipeline.securityReportFindings GraphQL query does not return all findings by default.
Steps to reproduce
- Create a new project.
- Add a README.md file with the following content:
https://username:password@gitlab.com/test-group/project.git https://username:password@github.com/test-group/project.git
- Add a
.gitlab-ci.yml
file with the following content:include: - template: 'Jobs/Secret-Detection.latest.gitlab-ci.yml'
- Run a pipeline.
- Visit the project Vulnerability report page
- Change the status of one of the vulnerabilities to Dismissed.
- Visit the
/-/graphql-explorer
- Execute the following query.
query VulnerabilityFindings { project(fullPath: "gitlab-gold/alejguer-gold/tickets/438421-SecretNoDetection") { pipeline(iid: 3) { securityReportFindings { nodes { description state } } } } }
Example Project
https://gitlab.com/gitlab-gold/alejguer-gold/tickets/438421-secretnodetection/
What is the current bug behavior?
The GraphQL query does not return findings for all states.
What is the expected correct behavior?
The GraphQL query should return all findings.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Implementation Plan
-
write a test to reproduce the defect -
update the generated sql query to return all findings with all states. source
Verification Steps
- Visit graphql explorer
- Execute the following query.
query VulnerabilityFindings { project(fullPath: "gitlab-org/govern/threat-insights-demos/verification-projects/verify-422542") { pipeline(iid: 1) { securityReportFindings { nodes { description state } } } } }
- Ensure that two results are returned
- Verify the same results in gitlab-gold/alejguer-gold/tickets/438421-SecretNoDetection.
Edited by mo khan