Add dismissal data to PipelineSecurityReportFinding
Why are we doing this work
We want to add dismissal data to the PipelineSecurityReportFinding
GraphQL type for use in the new security finding modals. These will be fields directly in the type, similar to the Vulnerability fields:
-
dismissedAt
:Time
-
dismissedBy
:UserCore
-
dismissalReason
:VulnerabilityDismissalReason
-
dismissalComment
:String
Example of new query:
query {
project(fullPath:"<project path>") {
pipeline(iid:"<pipeline iid>") {
securityReportFinding(uuid:"<uuid>") {
dismissedAt
dismissedBy {
name
}
dismissalReason
dismissalComment
}
}
}
}
Sample Response:
{
"data": {
"project": {
"pipeline": {
"securityReportFindings": {
"nodes": [
{
"dismissedAt": "2023-01-11T19:21:13Z",
"dismissedBy": {
"name": "Billy Madison"
},
"dismissalReason": ACCEPTABLE_RISK,
"dismissalComment": "I don't care about my data"
}
]
}
}
}
}
}
Relevant links
Non-functional requirements
-
Documentation: Update the GraphQL docs -
Testing: Add appropriate GraphQL query specs in https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/spec/graphql/types/pipeline_security_report_finding_type_spec.rb - Test all fields
- Test for
null
comment - Test for
null
dismissal reason - Test for no dismissal
Implementation plan
-
MR 1: Add fields to PipelineSecurityReportFindingType
Verification steps
Test query on dismissed security findings and non-dismissed security findings:
query {
project(fullPath:"<project path>") {
pipeline(iid:"<pipeline iid>") {
securityReportFindings(state: [DISMISSED]) {
uuid
dismissedAt
dismissedBy {
name
}
dismissalReason
dismissalComment
}
}
}
}
Test query on non-dismissed security findings:
query {
project(fullPath:"<project path>") {
pipeline(iid:"<pipeline iid>") {
securityReportFindings(state: [DETECTED]) {
uuid
dismissedAt
dismissedBy {
name
}
dismissalReason
dismissalComment
}
}
}
}
Test query on a dismissed security finding and a non-dismissed security finding (use previous queries for examples):
query {
project(fullPath:"<project path>") {
pipeline(iid:"<pipeline iid>") {
securityReportFinding(uuid:"<uuid>") {
dismissedAt
dismissedBy {
name
}
dismissalReason
dismissalComment
}
}
}
}
Edited by Jonathan Schafer