Skip to content

Pipeline.securityReportFindings does not return all expected results

Summary

The Pipeline.securityReportFindings GraphQL query does not return all findings by default.

Steps to reproduce

  1. Create a new project.
  2. Add a README.md file with the following content: 
    https://username:password@gitlab.com/test-group/project.git
https://username:password@github.com/test-group/project.git
  3. Add a .gitlab-ci.yml file with the following content: 
    include:
    - template: 'Jobs/Secret-Detection.latest.gitlab-ci.yml'
  4. Run a pipeline.
  5. Visit the project Vulnerability report page
  6. Change the status of one of the vulnerabilities to Dismissed.
  7. Visit the /-/graphql-explorer
  8. Execute the following query. 
    query VulnerabilityFindings {
  project(fullPath: "gitlab-gold/alejguer-gold/tickets/438421-SecretNoDetection") {
    pipeline(iid: 3) {
        securityReportFindings {
          nodes {
            description
            state 
          }
        }
    }
  }
}

Example Project

https://gitlab.com/gitlab-gold/alejguer-gold/tickets/438421-secretnodetection/

What is the current bug behavior?

The GraphQL query does not return findings for all states.

image image

What is the expected correct behavior?

The GraphQL query should return all findings.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

https://gitlab.com/gitlab-org/gitlab/-/blob/1ca3124cbdaa2abbcfc15a564552407bec2b15fe/ee/app/models/security/finding.rb#L84

Implementation Plan

  • write a test to reproduce the defect
  • update the generated sql query to return all findings with all states. source

Verification Steps

  1. Visit graphql explorer
  2. Execute the following query. 
    query VulnerabilityFindings {
  project(fullPath: "gitlab-org/govern/threat-insights-demos/verification-projects/verify-422542") {
    pipeline(iid: 1) {
        securityReportFindings {
          nodes {
            description
            state 
          }
        }
    }
  }
}
  3. Ensure that two results are returned
  4. Verify the same results in gitlab-gold/alejguer-gold/tickets/438421-SecretNoDetection.
Edited by mo khan