Fix location.blobPath in findingReportsComparer
What does this MR do and why?
This ensures location.blobPath in findingReportsComparer type is not empty by merging in the attribute from the object received to the location object.
Feature flag
Please also note that, all changes in this merge request are behind sast_reports_in_inline_diff feature flag (roll-out issue).
Resolves #430876 (closed).
How to set up and validate locally
- Enable SAST in one of the projects you have.
- Create a merge request with some vulnerable code, e.g. Add
vuln.escapeMarkup = false;in ajavascriptfile. - Wait until the SAST report is generated.
- Try to load the merge request security reports via GraphQL using the query below in graphql-explorer:
query getMRCodequalityAndSecurityReports {
project(fullPath: "PROJECT_FULL_PATH") {
id
mergeRequest(iid: "MERGE_REQUEST_ID") {
id
title
project {
nameWithNamespace
fullPath
}
hasSecurityReports
sastReport: findingReportsComparer(reportType: SAST) {
status
report {
added {
identifiers {
externalId
externalType
name
url
}
uuid
title
location
description
state
severity
foundByPipelineIid
location {
... on VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
}
}
}
}
}
}
}Do not forget to replace MERGE_REQUEST_ID with the merge request id, and PROJECT_FULL_PATH with the :namespace/:project path of your project.
- Verify
location.blobPathunderfindingReportsComparerreturns the correct blob path.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Ahmed Hemdan