[BE] Add fields to the PipelineSecurityReportFinding GraphQL type
As a part migrating the pipeline security dashboard to GraphQL we need to add several fields to the PipelineSecurityReportFinding
type.
Currently used fields when displaying vulnerability details (ee/app/assets/javascripts/vulnerabilities/components/vulnerability_details.vue
):
location
stacktraceSnippet
scanner
location
evidenceSource
supportingMessages
request
response
description
title
severity
evidence
links
identifiers
assets
uuid
Current `PipelineSecurityReportFinding` fields:
confidence
description
identifiers
location
name
project
projectFingerprint
reportType
scanner
severity
solution
state
uuid
Based on that the following fields are missing:
stacktraceSnippet
evidenceSource
supportingMessages
request
response
title
evidence
links
assets
Related links
Additional info
https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/serializers/vulnerabilities/finding_entity.rb seems to contain all fields mentioned above. So this file can be used to double check the missing fields.
If possible, make sure to return the same structure as used in https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/helpers/vulnerabilities_helper.rb#L10. This will help us reuse the same logic we have for the vulnerability details page in the frontend.
Implementation Plan
-
Create the following new
GraphQL
types, which are based on the findings from Technical Spike: Define GraphQL schema to support migration for Vulnerability Details:type VulnerabilityEvidence { summary: String supportingMessages: [VulnerabilityEvidenceSupportingMessage] source: VulnerabilityEvidenceSource request: [VulnerabilityRequest!] response: [VulnerabilityResponse!] } type VulnerabilityEvidenceSupportingMessage { name: String! request: [VulnerabilityRequest] response: [VulnerabilityResponse] } type VulnerabilityEvidenceSource { id: String! name: String! url: String } type VulnerabilityRequestResponseHeader { name: String value: String } type VulnerabilityRequest { body: String method: String! url: String! headers: [VulnerabilityRequestResponseHeader!] } type VulnerabilityResponse { body: String statusCode: String! reasonPhrase: String! headers: [VulnerabilityRequestResponseHeader!] } type VulnerabilityAsset { type: String! name: String! url: String! } # Check ee/lib/ee/gitlab/ci/parsers/security/validators/schemas/coverage-fuzzing-report-format.json # for more details type VulnerabilityLocationCoverageFuzzing { crashType: String crashAddress: String stacktraceSnippet: String }
-
Extend
PipelineSecurityReportFindingType
to add the following fields, based on the new types added in step1.
:type SecurityReportFinding { assets: [VulnerabilityAsset] evidence: VulnerabilityEvidence title: String # alias for `name`, which will be deprecated stacktraceSnippet: VulnerabilityLocationCoverageFuzzing }