Create new graphql field to represent code quality reports in MergeRequestType
Overview
As part of the work to display SAST and Code Quality findings in merge request diff view (see parent epic), we have to update the graphql FindingReportsComparerResolver
resolver to include code quality reports.
The findingReportsComparer
field, however, doesn't allow specifying CodeQuality
reports as a report_type
because the underlying implementation depends on resolving those reports via Security::MergeRequestSecurityReportGenerationService
service class, which doesn't include code quality reports.
This is because code_quality
reports have a slightly different format than other security reports generated by that service class.
Proposal
To ensure Code Quality reports can be queried via the same GraphQL query, we have to create a new field similar to findingReportsComparer
. The new field, let's say is called codequalityReportsComparer
, would need to:
- Have a new resolver to retrieve codequality degradations of a certain merge request.
- Can be achieved by calling
MergeRequest#compare_codequality_reports
method.
- Can be achieved by calling
- Have a corresponding type, similar to the existing entity,
CodequalityReportsComparerEntity
.- We may need to create some GraphQL type and entities for that structure (if they don't exist already).
- Be added behind
sast_reports_in_inline_diff
feature flag. - Be marked as an alpha field.
Please see the diagram below for an overview of how the overall setup:
flowchart TB
T["EE::Types::MergeRequestType / Types::MergeRequestType"]
A[findingReportsComparer]
Z[codequalityReportsComparer]
Y[CodequalityReportsComparerResolver]
B[FindingReportsComparerResolver]
T-->A
T-->Z
A-->B
Z-->Y
C[MergeRequestSecurityReportGenerationService]
D[MergeRequest#compare_codequality_reports]
B-->C
Y-->D
E[CompareCodequalityReportsService]
F[CompareSecurityReportsService]
D-->E
C-->F
The goal here is to ensure both sast
and code_quality
reports can be queried as follows:
query getMRSecurityReport {
project(fullPath: "gitlab-org/govern/threat-insights-demos/frontend/security-reports") {
mergeRequest(iid: "1") {
title
hasSecurityReports
codequalityReportsComparer {
report {
status
newErrors {
description
severity
filePath
line
webUrl
engineName
}
resolvedErrors {
description
severity
filePath
line
webUrl
engineName
}
existingErrors {
description
severity
filePath
line
webUrl
engineName
}
summary {
totalCount
resolvedCount
errorsCount
}
}
}
sastReport: findingReportsComparer(reportType: SAST) {
status
report {
headReportCreatedAt
baseReportCreatedAt
baseReportOutOfDate
added {
uuid
title
description
state
severity
foundByPipelineIid
location {
...on
VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
}
identifiers
}
fixed {
uuid
title
description
state
severity
foundByPipelineIid
location {
...on
VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
}
identifiers
}
}
}
}
}
}