Add missing scanner field to findingReportsComparer
What does this MR do and why?
This adds the missing scanner
field in findingReportsComparer
type to make the vulnerability scanner information available.
Feature flag
Please also note that, all changes in this merge request are behind sast_reports_in_inline_diff
feature flag (roll-out issue).
Resolves #430864 (closed).
How to set up and validate locally
- Enable SAST in one of the projects you have.
- Create a merge request with some vulnerable code, e.g. Add
vuln.escapeMarkup = false;
in ajavascript
file. - Wait until the SAST report is generated.
- Try to load the merge request security reports via GraphQL using the query below in graphql-explorer:
query getMRCodequalityAndSecurityReports {
project(fullPath: "PROJECT_FULL_PATH") {
id
mergeRequest(iid: "MERGE_REQUEST_ID") {
id
title
project {
nameWithNamespace
fullPath
}
hasSecurityReports
sastReport: findingReportsComparer(reportType: SAST) {
status
report {
added {
identifiers {
externalId
externalType
name
url
}
uuid
title
location
description
state
severity
scanner {
name
externalId
vendor
}
foundByPipelineIid
location {
... on VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
}
}
}
}
}
}
}
Do not forget to replace MERGE_REQUEST_ID
with the merge request id, and PROJECT_FULL_PATH
with the :namespace/:project
path of your project.
- Verify
scanner
underfindingReportsComparer
returns the correct information about the vulnerability scanner.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Ahmed Hemdan