Skip to content

Fix Query.vulnerabilitiesCountByDay always returning nil data

Brian Williams requested to merge bwill/fix-broken-instance-vulnerability-counts-by-day into master

What does this MR do and why?

Fixes: #419514 (closed)

f10225e7 added some missing authorization checks to VulnerabilitiesCountPerDayResolver. However, these authorization checks produce false-positives when trying to resolve counts for the instance security dashboard. This is because the resolver uses object authorization, and there is no object for QueryType. To fix this, we skip the authorization check when resolving for the instance security dashboard.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Login as root and go to <instance_url>/-/graphql-explorer

  2. Run this mutation:

    mutation addProjectToSecurityDashboard {
  addProjectToSecurityDashboard(input: { id: "gid://gitlab/Project/1" }) {
    errors
    project {
      id
    }
  }
}

  3. Find the first and last stat dates using the rails console: stats = Vulnerabilities::HistoricalStatistic.all.sort_by(&:date); puts stats.first.date; puts stats.last.date

  4. Run this query:

query projectVulnerabilitiesCount {
  project(fullPath: "gitlab-org/gitlab-test") {
    id
    vulnerabilitiesCountByDay(startDate: "<first_date>", endDate: "<second_date>") {
      nodes {
        date
        critical
        high
        info
        low
        medium
        unknown
      }
    }
  }
}
  1. Observe that it returns results (before, would return "vulnerabilitiesCountByDay": nil)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brian Williams

Merge request reports