Technical Spike: Define GraphQL schema to support migration for Pipeline Security Tab
Time-box: 3 days
Problem to solve
In order to complete the migration from HAML-data to GraphQL on the vulnerability details page, we need to add a set of fields to the GraphQL schema for the PipelineSecurityReportFinding type.
To speed up the communcation process between frontend and backend, the frontend should come up with a schema-proposal that captures all missing fields and structures them in a way, which will help to migrate the related UI-components easily.
Note: Migration-work has already started and is currently behind a feature flag. Run the following command to enable it.
echo "Feature.enable(:pipeline_security_dashboard_graphql)" | rails cProposed steps
-
Set up a project that contains a setup for apollo-server: https://gitlab.com/dpisek/vulnerability-graphql-mock/-/tree/pipeline-finding -
Configure the local environment to query the mock-server: !76635 (closed) -
Change the pipeline security tab to fetch from the mock endpoint: !76635 (closed) -
Create and experiment with a schema -
Propose fields, queries and mutations for discussion
Desired outcome
- Schema proposal, which can be a base for a discussion with the backend
- Agree on final schema
Outcome
Resources
- MR which configures the details page to fetch from the mock server: !76635 (closed)
- Mock Server: https://gitlab.com/dpisek/vulnerability-graphql-mock
Findings
API Needs
Schema Proposal
type VulnerabilityGenericReportCode {
value: String!
}
type VulnerabilityGenericReportCommit {
value: String!
}
type VulnerabilityGenericReportDiff {
before: String!
after: String!
}
type VulnerabilityGenericReportFileLocation {
fileName: String!
lineStart: Number!
lineEnd: Number
}
type VulnerabilityGenericReportMarkDown {
value: String!
}
type VulnerabilityGenericReportModuleLocation {
moduleName: String!
offset: Number!
}
union VulnerabilityGenericReportType = VulnerabilityGenericReportCode | VulnerabilityGenericReportCommit | VulnerabilityGenericReportDiff | VulnerabilityGenericReportFileLocation | VulnerabilityGenericReportList | VulnerabilityGenericReportMarkDown | VulnerabilityGenericReportModuleLocation | VulnerabilityGenericReportNamedListItem | VulnerabilityGenericReportNamedList | VulnerabilityGenericReportTable | VulnerabilityGenericReportUrl | VulnerabilityGenericReportValue
type VulnerabilityGenericReportList {
items: [VulnerabilityGenericReportType!]!
}
type VulnerabilityGenericReportNamedListItem {
label: String!
name: String!
values: [VulnerabilityGenericReportType!]!
}
type VulnerabilityGenericReportNamedList {
items: [VulnerabilityGenericReportNamedListItem!]!
}
type VulnerabilityGenericReportTable {
headers: [VulnerabilityGenericReportType!]!
# NOTE: rows is a list of lists
rows: [[VulnerabilityGenericReportType!]!]!
}
type VulnerabilityGenericReportUrl {
href: String!
}
union VulnerabilityGenericReportValueType = String | Number | Boolean
type VulnerabilityGenericReportValue {
value: VulnerabilityGenericReportValueType!
}
# Not sure how to name all of these types, will need to agree on that 🤔
type VulnerabilityGenericReport {
code: VulnerabilityGenericReportCode
commit: VulnerabilityGenericReportCommit
diff: VulnerabilityGenericReportDiff
fileLocation: VulnerabilityGenericReportFileLocation
list: VulnerabilityGenericReportList
markdown: VulnerabilityGenericReportMarkDown
moduleLocation: VulnerabilityGenericReportModuleLocation
namedList: VulnerabilityGenericReportNamedList
table: VulnerabilityGenericReportTable
url: VulnerabilityGenericReportUrl
value: VulnerabilityGenericReportValue
}
type VulnerabilityRequestResponseHeader {
name: String!
value: String!
}
type VulnerabilityRequest {
url: String!
body: String!
method: String!
url: String!
headers: [VulnerabilityRequestResponseHeader]!
}
type VulnerabilityResponse {
body: String!
statusCode: String!
reasonPhrase: String
headers: [VulnerabilityRequestResponseHeader]!
}
type VulnerabilityEvidenceSupportingMessage {
name: SupportingMessageType!
response: VulnerabilityResponse
}
extend type VulnerabilityLocationCoverageFuzzing{
crashState: String
}
extend type PipelineSecurityReportFinding {
descriptionHtml: String!
request: VulnerabilityRequest
response: VulnerabilityResponse
details: VulnerabilityGenericReport
}Types
| type | field(s) | added or changed | description | current issue |
|---|---|---|---|---|
PipelineSecurityReportFinding |
discussions |
fields added | new field, should be the same as on the Vulnerability type (extending the NoteableInterface) |
Add `discussions` field to `PipelineSecurityRep... (#360621 - closed) |
VulnerabilityEvidence |
summary: StringsupportingMessages: [VulnerabilityEvidenceSupportingMessage!]source: VulnerabilityEvidenceSourcerequest: [VulnerabilityRequest!]response: [VulnerabilityResponse!]
|
type added | new evidence type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityEvidenceSupportingMessage |
name: VulnerabilityEvidenceSupportingMessageName!request: [VulnerabilityRequest!]response: [VulnerabilityResponse!]
|
type added | new evidence supporting message type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityEvidenceSource |
id: ID!name: Stringurl: String
|
type added | new evidence source type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityRequestResponseHeader |
name: Stringvalue: String
|
type added | new request/response header type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityRequest |
body: Stringmethod: Stringurl: Stringheaders: [VulnerabilityRequestResponseHeader!]
|
type added | new request type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityResponse |
body: StringstatusCode: StringreasonPhrase: Stringheaders: [VulnerabilityRequestResponseHeader!]
|
type added | new response type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityAsset |
name: Stringurl: String
|
type added | new asset type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityRemediation |
diff: [String!] |
type added | new remediation type | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityLocationCoverageFuzzing |
crashType: StringcrashAddress: StringstacktraceSnippet: String
|
fields added | new location coverage fuzzing fields | Add GraphQL fields to support migration for Vul... (#356352) |
VulnerabilityScanner |
url: Stringversion: String
|
fields added | new scanner fields | Add GraphQL fields to support migration for Vul... (#356352) |
Vulnerability |
assets: [VulnerabilityAsset!]canModifyRelatedIssues: Boolean!createdAt: Timeevidence: VulnerabilityEvidencepipeline: PipelinerelatedIssuesHelpPath: Stringremediations: [VulnerabilityRemediation!]solution: String
|
fields added | new vulnerability fields | Add GraphQL fields to support migration for Vul... (#356352) |
Queries
| query | field(s) | added or changed | description | issue |
|---|
Mutations
| mutation | field(s) | added or changed | description | issue |
|---|
Edited by David Pisek