Skip to content

Return Pipeline, Commit, Author, etc. where Vulnerability was detected in GraphQL API Response

Release Notes

Users may want to find pipeline and commit information of when the vulnerability was introduced. Vulnerability GraphQL now includes initialDetectedPipeline which can be used to retrieve additional commit information such as author username.

Introduces initialDetectedPipeline and latestDetectedPipeline to the vulnerability object.

Pipeline fields include ‘commit’ which can additionally be used to retrieve author information.

Documentation: https://docs.gitlab.com/api/graphql/reference/#vulnerability

Example query

{
 vulnerability(id:"gid://gitlab/Vulnerability/187582237") {
    title
    initialDetectedPipeline{
      id
       commit {
        sha
        webUrl
        author{
          id
          username
        }
      }
    }
  }
}

Example response

{
  "data": {
    "vulnerability": {
      "title": "Improper neutralization of special elements used in an SQL Command ('SQL Injection')",
      "initialDetectedPipeline": {
        "id": "gid://gitlab/Ci::Pipeline/1833675473",
        "commit": {
          "sha": "1945878b40026b8110f5f3c91fe902e70e182e7b",
          "webUrl": "https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/cwe-samples/-/commit/1945878b40026b8110f5f3c91fe902e70e182e7b",
          "author": {
            "id": "gid://gitlab/User/5412787",
            "username": "nmccorrison"
          }
        }
      }
    }
  },
  "correlationId": "d1a1e1f2daf339028e79a372885fe7ea"
}

Problem to solve

Currently, the UI provides a link to the pipeline where a vulnerability was detected in. This is not provided in the API.

User experience goal

This was raised by a customer(Internal Link) whose use case for this feature involves downloading details of both vulnerabilities and dependencies to track new and existing issues externally from GitLab without having to use the UI.

Proposal

Extend the GraphQL API to include the pipeline ID where a vulnerability was detected. This will be added as part of the Single vulnerability querry.

New field to add

detectedPipelineId

Further details

Current implementation in the UI:

image.png

Links / references

Refer to the current GitLab documentation for GraphQL vulnerabilities API here.

Implementation plan:

#468913 (comment 2537233485)

As defined in the proposal, the following fields can be added to ee/app/graphql/types/vulnerability_type.rb:

  • initial_pipeline_id
  • latest_pipeline_id

Then, the following resolvers can be used to retrieve the corresponding ids:

  • object.vulnerability_finding&.initial_finding_pipeline&.id
  • object.vulnerability_finding&.latest_finding_pipeline&.id

The fields can then be queried:

{
  vulnerability(id: "gid://gitlab/Vulnerability/545"){
    initialPipelineId
    latestPipelineId
  }
}

The following sample data is expected to be returned:

"data": {
    "vulnerability": {
      "initialPipelineId": "599",
      "latestPipelineId": "599"
    }
}
Edited by Neil McCorrison