Add dismissal data to PipelineSecurityReportFinding

Why are we doing this work

We want to add dismissal data to the PipelineSecurityReportFinding GraphQL type for use in the new security finding modals. These will be fields directly in the type, similar to the Vulnerability fields:

dismissedAt : Time
dismissedBy : UserCore
dismissalReason : VulnerabilityDismissalReason
dismissalComment : String

Example of new query:

query {
  project(fullPath:"<project path>") {
    pipeline(iid:"<pipeline iid>") {
      securityReportFinding(uuid:"<uuid>") {
        dismissedAt
        dismissedBy {
          name
        }
        dismissalReason
        dismissalComment
      }
    }
  }
}

Sample Response:

{
  "data": {
    "project": {
      "pipeline": {
        "securityReportFindings": {
          "nodes": [
            {
              "dismissedAt": "2023-01-11T19:21:13Z",
              "dismissedBy": {
                "name": "Billy Madison"
              },
              "dismissalReason": ACCEPTABLE_RISK,
              "dismissalComment": "I don't care about my data"
            }
          ]
        }
      }
    }
  }
}

Relevant links

Spike

Non-functional requirements

Documentation: Update the GraphQL docs
Testing: Add appropriate GraphQL query specs in https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/spec/graphql/types/pipeline_security_report_finding_type_spec.rb
- Test all fields
- Test for null comment
- Test for null dismissal reason
- Test for no dismissal

Implementation plan

MR 1: Add fields to PipelineSecurityReportFindingType
- backend Fields to add
  - dismissedAt : Time
  - dismissedBy : UserCore
  - dismissalReason : VulnerabilityDismissalReason
  - dismissalComment : String
- backend Add methods to pull data

Verification steps

Test query on dismissed security findings and non-dismissed security findings:

query {
  project(fullPath:"<project path>") {
    pipeline(iid:"<pipeline iid>") {
      securityReportFindings(state: [DISMISSED]) {
        uuid
        dismissedAt
        dismissedBy {
          name
        }
        dismissalReason
        dismissalComment
      }
    }
  }
}

Test query on non-dismissed security findings:

query {
  project(fullPath:"<project path>") {
    pipeline(iid:"<pipeline iid>") {
      securityReportFindings(state: [DETECTED]) {
        uuid
        dismissedAt
        dismissedBy {
          name
        }
        dismissalReason
        dismissalComment
      }
    }
  }
}

Test query on a dismissed security finding and a non-dismissed security finding (use previous queries for examples):

query {
  project(fullPath:"<project path>") {
    pipeline(iid:"<pipeline iid>") {
      securityReportFinding(uuid:"<uuid>") {
        dismissedAt
        dismissedBy {
          name
        }
        dismissalReason
        dismissalComment
      }
    }
  }
}

Edited Feb 07, 2023 by Jonathan Schafer