Create new graphql field to represent code quality reports in MergeRequestType
Overview
As part of the work to display SAST and Code Quality findings in merge request diff view (see parent epic), we have to update the graphql FindingReportsComparerResolver resolver to include code quality reports.
The findingReportsComparer field, however, doesn't allow specifying CodeQuality reports as a report_type because the underlying implementation depends on resolving those reports via Security::MergeRequestSecurityReportGenerationService service class, which doesn't include code quality reports.
This is because code_quality reports have a slightly different format than other security reports generated by that service class.
Proposal
To ensure Code Quality reports can be queried via the same GraphQL query, we have to create a new field similar to findingReportsComparer. The new field, let's say is called codequalityReportsComparer, would need to:
- Have a new resolver to retrieve codequality degradations of a certain merge request.
- Can be achieved by calling
MergeRequest#compare_codequality_reportsmethod.
- Can be achieved by calling
- Have a corresponding type, similar to the existing entity,
CodequalityReportsComparerEntity.- We may need to create some GraphQL type and entities for that structure (if they don't exist already).
- Be added behind
sast_reports_in_inline_difffeature flag. - Be marked as an alpha field.
Please see the diagram below for an overview of how the overall setup:
flowchart TB
T["EE::Types::MergeRequestType / Types::MergeRequestType"]
A[findingReportsComparer]
Z[codequalityReportsComparer]
Y[CodequalityReportsComparerResolver]
B[FindingReportsComparerResolver]
T-->A
T-->Z
A-->B
Z-->Y
C[MergeRequestSecurityReportGenerationService]
D[MergeRequest#compare_codequality_reports]
B-->C
Y-->D
E[CompareCodequalityReportsService]
F[CompareSecurityReportsService]
D-->E
C-->FThe goal here is to ensure both sast and code_quality reports can be queried as follows:
query getMRSecurityReport {
project(fullPath: "gitlab-org/govern/threat-insights-demos/frontend/security-reports") {
mergeRequest(iid: "1") {
title
hasSecurityReports
codequalityReportsComparer {
report {
status
newErrors {
description
severity
filePath
line
webUrl
engineName
}
resolvedErrors {
description
severity
filePath
line
webUrl
engineName
}
existingErrors {
description
severity
filePath
line
webUrl
engineName
}
summary {
totalCount
resolvedCount
errorsCount
}
}
}
sastReport: findingReportsComparer(reportType: SAST) {
status
report {
headReportCreatedAt
baseReportCreatedAt
baseReportOutOfDate
added {
uuid
title
description
state
severity
foundByPipelineIid
location {
...on
VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
}
identifiers
}
fixed {
uuid
title
description
state
severity
foundByPipelineIid
location {
...on
VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
}
identifiers
}
}
}
}
}
}