Skip to content

Add missing scanner field to findingReportsComparer

What does this MR do and why?

This adds the missing scanner field in findingReportsComparer type to make the vulnerability scanner information available.

Feature flag

Please also note that, all changes in this merge request are behind sast_reports_in_inline_diff feature flag (roll-out issue).

Resolves #430864 (closed).

How to set up and validate locally

  • Enable SAST in one of the projects you have.
  • Create a merge request with some vulnerable code, e.g. Add vuln.escapeMarkup = false; in a javascript file.
  • Wait until the SAST report is generated.
  • Try to load the merge request security reports via GraphQL using the query below in graphql-explorer:
query getMRCodequalityAndSecurityReports {
  project(fullPath: "PROJECT_FULL_PATH") {
    id
    mergeRequest(iid: "MERGE_REQUEST_ID") {
      id
      title
      project {
        nameWithNamespace
        fullPath
      }
      hasSecurityReports
      sastReport: findingReportsComparer(reportType: SAST) {
        status
        report {
          added {
            identifiers {
              externalId
              externalType
              name
              url
            }
            uuid
            title
            location
            description
            state
            severity
            scanner {
              name
              externalId
              vendor
            }
            foundByPipelineIid
            location {
              ... on VulnerabilityLocationSast {
                file
                startLine
                endLine
                vulnerableClass
                vulnerableMethod
                blobPath
              }
            }
          }
        }
      }
    }
  }
}

Do not forget to replace MERGE_REQUEST_ID with the merge request id, and PROJECT_FULL_PATH with the :namespace/:project path of your project.

  • Verify scanner under findingReportsComparer returns the correct information about the vulnerability scanner.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Ahmed Hemdan

Merge request reports

Loading