Design: vulnerability GraphQL resource to access a single vulnerability
Problem to solve
Currently, there is a vulnerabilities GraphQL resource that allows us to access a list of vulnerabilities. This is used on the security dashboard. However, on the standalone vulnerability page, which shows the details of a single vulnerability, we need the ability to access just a single vulnerability. We are currently using REST endpoints for the page, but we would like to transition to GraphQL.
This issue is to add a top-level vulnerability resource so that we can access a single vulnerability through GraphQL.
Intended users
Developer
User experience goal
None, this is a backend change.
Proposal
Add a new entry to ee/app/graphql/ee/types/project_type.rb for vulnerability and a matching resolver.
Add new entries to ee/app/graphql/ee/types/mutation_type.rb for the data modifications that we need:
| ID | Currently-used REST API endpoint | Description |
|---|---|---|
| 1 | POST /root/:project/-/vulnerability_feedback
|
Used for the "Create Issue" and "Create MR" buttons |
| 2 | POST /api/:version/vulnerabilities/:id/:action
|
Changes the state of the vulnerability, where :action is either dismiss, confirm, or resolve
|
| 3 | GET /root/:project/-/security/vulnerabilities/:id/notes
|
Retrieves the notes for a vulnerability, where a note is either an audit log entry of a vulnerability's state change, or a user comment for an entry |
| 4 | POST /root/:project/-/security/vulnerabilities/:id/notes
|
Adds a user comment for an audit log entry |
| 5 | PUT /root/:project/-/security/vulnerabilities/:id/notes
|
Updates a user comment for an audit log entry |
| 6 | DELETE /root/:project/-/security/vulnerabilities/:id/notes
|
Deletes a user comment for an audit log entry |
| 7 | GET /root/:project/-/security/vulnerabilities/:id/discussion
|
Retrieves the discussions for a vulnerability |
Further details
ee/app/helpers/vulnerabilities_helper.rb is a good file to see the data we need. It's not just the vulnerability, but also the finding associated with it, and some data formatting that can only be done on the backend.