Fix Query.vulnerabilitiesCountByDay always returning nil data
What does this MR do and why?
Fixes: #419514 (closed)
f10225e7 added some missing authorization checks to VulnerabilitiesCountPerDayResolver. However, these authorization checks produce false-positives when trying to resolve counts for the instance security dashboard. This is because the resolver uses object authorization, and there is no object for QueryType. To fix this, we skip the authorization check when resolving for the instance security dashboard.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
-
Login as root and go to
<instance_url>/-/graphql-explorer
-
Run this mutation:
mutation addProjectToSecurityDashboard { addProjectToSecurityDashboard(input: { id: "gid://gitlab/Project/1" }) { errors project { id } } }
-
Find the first and last stat dates using the rails console:
stats = Vulnerabilities::HistoricalStatistic.all.sort_by(&:date); puts stats.first.date; puts stats.last.date
-
Run this query:
query projectVulnerabilitiesCount {
project(fullPath: "gitlab-org/gitlab-test") {
id
vulnerabilitiesCountByDay(startDate: "<first_date>", endDate: "<second_date>") {
nodes {
date
critical
high
info
low
medium
unknown
}
}
}
}
- Observe that it returns results (before, would return
"vulnerabilitiesCountByDay": nil
)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.