Improve vulnerability report tool filter filtering
What does this MR do and why?
This MR changes the way the tool_with_vendor_filter.vue
does its filtering. This filter is only used on the project vulnerability report:
Previously, it was filtering on 2 fields: reportType
and scannerId
(the ID of the actual scanner, e.g. eslint, gitleaks, etc). reportType
was hard-coded to REPORT_TYPE_PRESETS.DEVELOPMENT
, and scannerId
changes based on the selected tools. This MR changes the following:
- If there are no selected items, it will filter
reportType
by the preset. - If there is no custom vendor and some items are selected, it will filter
reportType
by the selected items. - If there is a custom vendor and some items are selected, it will filter by
scannerId
. - If there is a custom vendor, some items are selected, but there are no scanners for the selected items, it will filter by
reportType
.
In short, either reportType
or scannerId
will be used, but not both at the same time.
This change fixes the following issues:
- For the
gitlab-org/gitlab
project, secret detection results are shown in addition to SAST results, when only SAST is selected. - No results are shown when only secret detection is selected.
- It slightly speeds up the database query because it no longer has to filter on 2 fields.
- It reduces confusion with how the filters are applied.
How to set up and validate locally
- Test the tool filter against a project with a custom vendor, for example this one, and verify that the GraphQL calls matches the above behavior.
- Test the tool filter against a project without a custom vendor, for example this one, and verify that the GraphQL calls matches the above behavior.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #351719 (closed)
Edited by Daniel Tian