Skip to content

Expose the original severity in response from Vulnerabilities API

Release Notes

The vulnerabilities API now exposes the original severity from before severity overrides were applied.

Problem to Solve

One customer creates custom severities based on the original severity and the overridden severity. One can not override the other, the customer want them merged together in a custom manner in their proprietary system. To do this, they need a smooth way to access both severity fields via the same graphQL API.

In Scope

  • Allow original severity that is set in the pipeline to be accessible as a field when querying vulnerabilities from the project level.

Out of Scope

  • UI Changes

Dependencies

  • None known

Outstanding Questions

Question Answer Assignee Priority Blocking?

Designs

n/a

Functional Requirements

Page Level Support

  • Project
  • Group
  • Pipeline > Security (findings)
  • MR Security Widget (findings)
  • Security Center
  • Security Dashboard

Workflow

  • Requires an additional filter on the Vulnerability Report (docs)
  • Requires an addition to the Vulnerability Report export (docs)
  • Requires an additional filter on the Dependency List (docs)
  • Requires an addition to the Dependency List export (docs)
  • Requires documentation

Non-Functional Requirements

Product Usage

  • Requires new instrumentation (docs)

Feature Flag Usage

  • This feature should be released behind a feature flag? (docs)

Testing

  • Requires new E2E test coverage (docs)
  • Requires extended manual / UAT phase
  • Performance testing needed (testing)

Resources

  1. Epic Board showing issues across workflow stages.
  2. Documentation links
  3. Prior work/projects

Planning Breakdown / Implementation Plan

  1. Expose an original_severity field on the PipelineSecurityReportFindingType which will return the value from the security_findings.severity database column.
  2. Expose a latest_security_finding field on the VulnerabilityType which will return the Security::Finding from the most recent pipeline.

This result in a GraphQL query like so:

{
  project(fullPath: $fullPath) {
    vulnerabilities {
      nodes {
        severity
        latestSecurityReportFinding {
          originalSeverity
        }
      }
    }
  }
}
Edited by Brian Williams