Skip to content

Backend: Add hasMergeRequest filter to VulnerabilityReport

Why are we doing this work

This is the backend issue to add support for a hasMergeRequest:boolean parameter

query {
  project(fullPath: "gitlab-org/gitlab") {
    vulnerabilities(reportType:DEPENDENCY_SCANNING, hasMergeRequest: true) {
      nodes {
        ...
      }
    }
  }
}

Relevant links

Non-functional requirements

  • Documentation: Update GraphQL docs
  • Performance: Need to see how this would affect the performance of vulnerability_reads
  • Testing: New tests will need to be added
  • E2E testing: Make sure e2e: package-and-test is run and govern specs are green

Implementation plan

This issue is going to require multiple MRs (pending some discussion with the backend team on vulnerabiity_reads usage):

  • database MR 1: Add has_merge_request column to vulnerability_reads table
  • database MR 2: Update trigger in database for has_merge_request field
    • Use the has_issues trigger as an example for this
  • database MR 3: Backfill has_merge_request column with background migration

database implementations are tracked in #420613 (closed) and #421736 (closed)

  • backend MR 4: Add has_merge_request relation to Vulnerabilities::Read model
  • backend MR 5: Add has_merge_request filter to VulnerabilityReadsFinder
  • backend MR 6: Add hasMergeRequest field and argument to vulnerabilities query

backend implementations are tracked in this issue.

Once MR 1 is completed, MR groups 2/3 and 4/5/6 can be done in parallel

Verification steps

  1. Import project https://gitlab.com/gitlab-org/govern/threat-insights-demos/verify-390076 into your group on gitlab.com which has EE features enabled.
  2. After import goto build -> pipelines -> Run pipeline. Start a pipeline and wait for the job to complete.
  3. After pipeline job completion on the pipeline job page open the secure tab, click on the first vulnerability and in the popup, click resolve with merge request button.
  4. This should create a MR. Now goto GraphiQL and run the following query. Example full path where we verified the query is gitlab-org/govern/threat-insights-demos/personal-test-projects/verify-371313-bala 
query {
  project(fullPath: "gitlab-org/govern/threat-insights-demos/personal-test-projects/verify-371313-bala") {
    name
    vulnerabilities(hasMergeRequest: true) {
      nodes {
        id
        title
        description
        mergeRequest {
          id
        }
      }
    }
  }
}

and the query should the return the vulnerability which has merge request present and with its details like below

{
  "data": {
    "project": {
      "name": "Verify 371313 Bala",
      "vulnerabilities": {
        "nodes": [
          {
            "id": "gid://gitlab/Vulnerability/94854340",
            "title": "Test CVE identifier in README.md",
            "description": "Test vulnerability description",
            "mergeRequest": {
              "id": "gid://gitlab/MergeRequest/252323054"
            }
          }
        ]
      }
    }
  }
}
Edited by Bala Kumar