[Spike] Investigate scope changes of GraphQL migration of pipeline security report
Why are we doing this work
There is an ongoing effort to migrate the pipeline security report to GraphQL. The effort started many milestones ago and was worked on by various people.
Initially, the goal was releasing the GraphQL version of the report with the current feature set.
Going forward, we want to make sure that there is feature parity between the pipeline security report and the vulnerability report. This includes:
-
Using reusable components -
Bulk dismissal -
Dismissal Reasons -
Capture other feature differences -
Identify new vulnerabilities in the pipeline security tab
We also aim to include new functionality, Identify new vulnerabilities in the pipeline se... (#421056)
This spike's goal is to investigate and capture the current frontend architecture to identify any additional work that is needed to support the changed scope. It should also provide us with a more educated estimate of the remaining work.
The effort is time-boxed to 2
days.
Outcome:
Reusable / Shared components
The current architecture does indeed share the main component between the vulnerability reports (project-, group-, and instance level) and the pipeline security tab.
This component (VulnerabilityReport
) is responsible for:
- The vulnerabilities count (only shown on the vulnerability reports)
- Filtering
- Bulk state changes
- Group-by functionality
- Rendering the list of vulnerabilities
More details are in the thread below: #425934 (comment 1610541704)
Bulk state changes
The UI for this is already working - see #425934 (comment 1610636901)
However, to correctly get the GraphQL mutations working, we will need some backend work to either:
- Include a
vulnerability
for every finding or - Add mutations to support changing findings to
confirmed
andresolved
states
More details are in the thread below: #425934 (comment 1612156161)
Dismissal reasons
The UI for this is also working, but we will need to wire up the mutations that are mentioned in the "Bulk state changes" point above.
More details are in the thread below: #425934 (comment 1612160169)
Other feature differences
There is some functionality that is currently supported on the vulnerability Report, but not the pipeline:
- Activity column
- Activity filter
- Filter by custom tools
- Filter by "Dismissed as ..."
More details and screenshots are in the thread below: #425934 (comment 1612642010)
Identify new vulnerabilities in the pipeline security tab
High-level breakdown
- Add filter-inputs and column (finding state "New" / "Pre-existing") to the filter and table that is within
vulnerability_report.vue
(make sure it only renders for pipeline report). - Add backend support for the filter (additional
pipelineFindings
query input to apply the filter settings) - Add finding state data to the
PipelineSecurityReportFinding
GraphQL type ("New" / "Pre-existing")