[Backend] SAST scanner is missing in GraphQL Query
Overview
- This issue is intended to add the missing
scanner
field to thefindingReportsComparer
type. - The same field is already present in
/security_reports?type=sast
internal endpoint. - See example: jannik_lehmann/sast-inline-findings-example!2 (search for
Semgrep
)
Implementation Plan
Below is a quick breakdown of the necessary tasks to implement this.
-
Update findingType
to include a new fieldscanner
. -
Create a new graphql
type underTypes::Security::FindingReportsComparer
to represent the new field. -
Add name
,external_id
, andvendor
fields under the new type (see example). -
Ensure the new field is behind the feature flag sast_reports_in_inline_diff
(see example). -
Update existing specs and introduce a spec for the new graphql
type. -
Update graphql
documentation, see guidelines.
Example Query
query getMRCodequalityAndSecurityReports {
project(fullPath: "jannik_lehmann/sast-inline-findings-example") {
id
mergeRequest(iid: "2") {
id
title
project {
nameWithNamespace
fullPath
}
hasSecurityReports
sastReport: findingReportsComparer(reportType: SAST) {
status
report {
added {
scanner
identifiers {
externalId
externalType
name
url
}
uuid
title
location
description
state
severity
foundByPipelineIid
location {
... on VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
}
}
}
}
}
}
}
Design
Below is an example of where the scanner will be displayed on the frontend.
Example |
---|
Edited by Ahmed Hemdan