[Frontend] Refactor Secure Inline Findings REST API Requests to GraphQL Queries
- The Secure Inline Findings feature, which currently supports SAST and CodeQuality, is using REST API Requests to fetch findings. These REST API Requests should be replaced with GraphQL Queries to enhance efficiency and maintainability.
- Find details on how to reproduce the queries here: !129280 (merged)
- Example link of current state of Application in action on prod: jannik_lehmann/code-quality-test!4 (diffs)
There are different configuration scenarios that need to be covered with our GraphQL Queries:
CodeQuality
Example Query:
query getMRCodequalityReports {
project(fullPath: "PROJECT_FULL_PATH") {
mergeRequest(iid: "MERGE_REQUEST_ID") {
title
codequalityReportsComparer {
report {
status
newErrors {
description
fingerprint
severity
filePath
line
webUrl
engineName
}
resolvedErrors {
description
fingerprint
severity
filePath
line
webUrl
engineName
}
existingErrors {
description
fingerprint
severity
filePath
line
webUrl
engineName
}
summary {
errored
resolved
total
}
}
}
}
}
}
SAST
Example Query:
query getMRSecurityReport {
project(fullPath: "gitlab-org/govern/threat-insights-demos/frontend/security-reports") {
mergeRequest(iid: "1") {
title
hasSecurityReports
findingReportsComparer(reportType: DEPENDENCY_SCANNING) {
status
report {
headReportCreatedAt
baseReportCreatedAt
baseReportOutOfDate
added {
uuid
title
description
severity
foundByPipelineIid
}
fixed {
uuid
title
description
severity
foundByPipelineIid
}
}
}
}
}
}
SAST and Codequality
Example Query:
query getSASTAndCodeQualityReports {
project(fullPath: "PROJECT_FULL_PATH") {
mergeRequest(iid: "MERGE_REQUEST_ID") {
title
hasSecurityReports
codequalityReportsComparer {
report {
status
newErrors {
description
severity
filePath
line
webUrl
engineName
}
resolvedErrors {
description
severity
filePath
line
webUrl
engineName
}
existingErrors {
description
severity
filePath
line
webUrl
engineName
}
summary {
totalCount
resolvedCount
errorsCount
}
}
}
sastReport: findingReportsComparer(reportType: SAST) {
status
report {
headReportCreatedAt
baseReportCreatedAt
baseReportOutOfDate
added {
uuid
title
description
state
severity
foundByPipelineIid
location {
...on
VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
}
identifiers
}
fixed {
uuid
title
description
state
severity
foundByPipelineIid
location {
...on
VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
}
identifiers
}
}
}
}
}
}
Implementation Plan:
- Refactor fetchCodeQuality method to do SAST GraphQL Query instead of HTTP Polling
- Refactor fetchSast method to do SAST GraphQL Query instead of HTTP Polling
- Make sure that when CodeQuality and Sast are enabled a new method/action
fetchCodeQualityAndSast
is called which makes the query described above and passes the results to the inline-findings dropdown.
Acceptance Criteria:
- Refactoring these network calls, should not result in any UI changes.
- Eliminate race conditions between the population of SAST and CodeQuality findings by using a unified GraphQL Query.
Edited by Jannik Lehmann