Update FindingType include location and identifiers fields
What does this MR do and why?
This merge request updates Types::Security::FindingReportsComparer::FindingType
to include two fields:
location
identifiers
Both fields are to be used by frontend to display details of a detected vulnerability as per the current design (see mockup).
Please note that: the fields are only returned when the feature flag sast_reports_in_inline_diff
is enabled, which was used previously for a related feature but didn't see the light as a result of a redesign. The feature flag was agreed to be used for any backend changes created to support inclusion of SAST findings in MR changes tab, and has a corresponding rollout issue, but is unlikely to be rolled out until #418831 (closed) is finished and the rest of iteration 1 is done.
Resolves #418832 (closed).
How to set up and validate locally
- Enable SAST in one of the projects you have.
- Create a merge request with some vulnerable code, e.g. Add
vuln.escapeMarkup = false;
in a javascript file. - Wait until the SAST report is generated.
- Try to load the merge request security reports via GraphQL using the query below in graphql-explorer:
query getMRSecurityReport {
project(fullPath: "PROJECT_FULL_PATH") {
mergeRequest(iid: "MERGE_REQUEST_ID") {
title
hasSecurityReports
findingReportsComparer(reportType: SAST) {
status
report {
headReportCreatedAt
baseReportCreatedAt
baseReportOutOfDate
added {
uuid
title
description
state
severity
foundByPipelineIid
location {
...on
VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
}
identifiers
}
fixed {
uuid
title
description
state
severity
foundByPipelineIid
location {
...on
VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
}
identifiers
}
}
}
}
}
}
Do not forget to replace MR_ID
with the merge request id, and PROJECT_FULL_PATH
with the :namespace/:project
path of your project.
- Both fields will return
null
as the feature flag is disabled. - Enabled the feature flag in rails console:
Feature.enable(:sast_reports_in_inline_diff)
- Restart your GDK and repeat the above graghql query. The response should include populated
location
andidentifiers
.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.