Use `PureFindingsFinder` if available in GraphQL (!107379) · Merge requests · GitLab.org / GitLab

Mehmet Emin INAC requested to merge 346581_use_pure_findings_finder_on_graphql into master Dec 19, 2022

What does this MR do and why?

This MR changes the finder class used in pipeline security report findings GraphQL resolver with the new more performant one if it's available.

Database review

This MR introduces filtering security findings by state and scanners. There are 4 different queries when we account for active feature flags;

Filtering by scanners

SELECT
    "security_findings".*
FROM
    "security_findings"
    INNER JOIN "security_scans" ON "security_findings"."scan_id" = "security_scans"."id"
    INNER JOIN "security_scans" "scans_security_findings" ON "scans_security_findings"."id" = "security_findings"."scan_id"
WHERE
    "security_scans"."pipeline_id" = 728002676
    AND "security_findings"."deduplicated" = TRUE
    AND "security_scans"."latest" = TRUE
    AND "security_scans"."status" = 1
    AND "security_findings"."scanner_id" IN (
        SELECT
            "vulnerability_scanners"."id"
        FROM
            "vulnerability_scanners"
        WHERE
            "vulnerability_scanners"."project_id" = 40932235
            AND "vulnerability_scanners"."external_id" = 'find_sec_bugs')
ORDER BY
    "security_findings"."severity" DESC,
    "security_findings"."id" ASC
LIMIT 20 OFFSET 0

https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/14142/commands/49503

Filtering by state(detected)

SELECT
    "security_findings".*
FROM
    "security_findings"
    INNER JOIN "security_scans" ON "security_findings"."scan_id" = "security_scans"."id"
    INNER JOIN "security_scans" "scans_security_findings" ON "scans_security_findings"."id" = "security_findings"."scan_id"
WHERE
    "security_scans"."pipeline_id" = 728002676
    AND "security_findings"."deduplicated" = TRUE
    AND "security_scans"."latest" = TRUE
    AND "security_scans"."status" = 1
    AND (EXISTS (
            SELECT
                1
            FROM
                "vulnerabilities"
                INNER JOIN "vulnerability_occurrences" ON "vulnerability_occurrences"."vulnerability_id" = "vulnerabilities"."id"
            WHERE
                "vulnerabilities"."state" = 1
                AND (vulnerability_occurrences.uuid = security_findings.uuid::text))
            OR NOT EXISTS (
                SELECT
                    1
                FROM
                    "vulnerability_occurrences"
                WHERE (vulnerability_occurrences.uuid = security_findings.uuid::text)))
ORDER BY
    "security_findings"."severity" DESC,
    "security_findings"."id" ASC
LIMIT 20 OFFSET 0

https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/14142/commands/49505

Filtering by state(dismissed when FF is off)

SELECT
    "security_findings".*
FROM
    "security_findings"
    INNER JOIN "security_scans" ON "security_findings"."scan_id" = "security_scans"."id"
    INNER JOIN "security_scans" "scans_security_findings" ON "scans_security_findings"."id" = "security_findings"."scan_id"
WHERE
    "security_scans"."pipeline_id" = 728002676
    AND "security_findings"."deduplicated" = TRUE
    AND "security_scans"."latest" = TRUE
    AND "security_scans"."status" = 1
    AND (EXISTS (
            SELECT
                1
            FROM
                "vulnerabilities"
                INNER JOIN "vulnerability_occurrences" ON "vulnerability_occurrences"."vulnerability_id" = "vulnerabilities"."id"
            WHERE
                "vulnerabilities"."state" = 2
                AND (vulnerability_occurrences.uuid = security_findings.uuid::text))
            OR EXISTS (
                SELECT
                    1
                FROM
                    "security_scans"
                    INNER JOIN "projects" ON "projects"."id" = "security_scans"."project_id"
                    INNER JOIN "vulnerability_feedback" ON "vulnerability_feedback"."project_id" = "projects"."id"
                WHERE (vulnerability_feedback.category = (security_scans.scan_type - 1))
                AND "vulnerability_feedback"."feedback_type" = 0
                AND (security_scans.id = security_findings.scan_id)
                AND (vulnerability_feedback.finding_uuid = security_findings.uuid)))
ORDER BY
    "security_findings"."severity" DESC,
    "security_findings"."id" ASC
LIMIT 20 OFFSET 0

https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/14142/commands/49510

Filtering by state(dismissed when FF is on)

SELECT
    "security_findings".*
FROM
    "security_findings"
    INNER JOIN "security_scans" ON "security_findings"."scan_id" = "security_scans"."id"
    INNER JOIN "security_scans" "scans_security_findings" ON "scans_security_findings"."id" = "security_findings"."scan_id"
WHERE
    "security_scans"."pipeline_id" = 728002676
    AND "security_findings"."deduplicated" = TRUE
    AND "security_scans"."latest" = TRUE
    AND "security_scans"."status" = 1
    AND (EXISTS (
            SELECT
                1
            FROM
                "vulnerabilities"
                INNER JOIN "vulnerability_occurrences" ON "vulnerability_occurrences"."vulnerability_id" = "vulnerabilities"."id"
            WHERE
                "vulnerabilities"."state" = 2
                AND (vulnerability_occurrences.uuid = security_findings.uuid::text)))
ORDER BY
    "security_findings"."severity" DESC,
    "security_findings"."id" ASC
LIMIT 20 OFFSET 0

https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/14142/commands/49509

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Dec 23, 2022 by Mehmet Emin INAC

Use `PureFindingsFinder` if available in GraphQL

What does this MR do and why?

Database review

MR acceptance checklist

Merge request reports