Design: vulnerability GraphQL resource to access a single vulnerability
Problem to solve
Currently, there is a vulnerabilities
GraphQL resource that allows us to access a list of vulnerabilities. This is used on the security dashboard. However, on the standalone vulnerability page, which shows the details of a single vulnerability, we need the ability to access just a single vulnerability. We are currently using REST endpoints for the page, but we would like to transition to GraphQL.
This issue is to add a top-level vulnerability
resource so that we can access a single vulnerability through GraphQL.
Intended users
Developer
User experience goal
None, this is a backend change.
Proposal
Add a new entry to ee/app/graphql/ee/types/project_type.rb
for vulnerability
and a matching resolver.
Add new entries to ee/app/graphql/ee/types/mutation_type.rb
for the data modifications that we need:
ID | Currently-used REST API endpoint | Description |
---|---|---|
1 | POST /root/:project/-/vulnerability_feedback
|
Used for the "Create Issue" and "Create MR" buttons |
2 | POST /api/:version/vulnerabilities/:id/:action
|
Changes the state of the vulnerability, where :action is either dismiss , confirm , or resolve
|
3 | GET /root/:project/-/security/vulnerabilities/:id/notes
|
Retrieves the notes for a vulnerability, where a note is either an audit log entry of a vulnerability's state change, or a user comment for an entry |
4 | POST /root/:project/-/security/vulnerabilities/:id/notes
|
Adds a user comment for an audit log entry |
5 | PUT /root/:project/-/security/vulnerabilities/:id/notes
|
Updates a user comment for an audit log entry |
6 | DELETE /root/:project/-/security/vulnerabilities/:id/notes
|
Deletes a user comment for an audit log entry |
7 | GET /root/:project/-/security/vulnerabilities/:id/discussion
|
Retrieves the discussions for a vulnerability |
Further details
ee/app/helpers/vulnerabilities_helper.rb
is a good file to see the data we need. It's not just the vulnerability
, but also the finding
associated with it, and some data formatting that can only be done on the backend.