Add dismissal data to SecurityReportFinding
What does this MR do and why?
This MR adds dismissal data to the PipelineSecurotyReportFindingType
used by project.pipeline.securityReportFinding
and project.pipeline.securityReportFindings
.
Screenshots or screen recordings
Database
EXPLAIN SELECT "vulnerability_feedback".* FROM "vulnerability_feedback" WHERE
"vulnerability_feedback"."finding_uuid" IN (
'cb3c6229-3d3a-5245-b734-8b6b25d69337', 'a745cfcb-e813-5b61-87c3-5cd84c55cdcc',
'493cf94e-669a-53b8-82c5-44aa3019cd0d', '87e7e525-f406-5317-adb7-e042b65e4f9f',
'c9e40395-72cd-54f5-962f-e1d52c0dffab', 'b369de1c-f9e1-521f-ad7f-0586b6659369')
AND "vulnerability_feedback"."feedback_type" = 0
https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/14794/commands/51714
Time: 36.124 ms
- planning: 2.267 ms
- execution: 33.857 ms
- I/O read: 33.557 ms
- I/O write: 0.000 ms
Shared buffers:
- hits: 12 (~96.00 KiB) from the buffer pool
- reads: 18 (~144.00 KiB) from the OS file cache, including disk I/O
- dirtied: 0
- writes: 0
SELECT "users"."id",
"users"."email",
"users"."encrypted_password",
"users"."reset_password_token",
"users"."reset_password_sent_at",
"users"."remember_created_at",
"users"."sign_in_count",
"users"."current_sign_in_at",
"users"."last_sign_in_at",
"users"."current_sign_in_ip",
"users"."last_sign_in_ip",
"users"."created_at",
"users"."updated_at",
"users"."name",
"users"."admin",
"users"."projects_limit",
"users"."failed_attempts",
"users"."locked_at",
"users"."username",
"users"."can_create_group",
"users"."can_create_team",
"users"."state",
"users"."color_scheme_id",
"users"."password_expires_at",
"users"."created_by_id",
"users"."last_credential_check_at",
"users"."avatar",
"users"."confirmation_token",
"users"."confirmed_at",
"users"."confirmation_sent_at",
"users"."unconfirmed_email",
"users"."hide_no_ssh_key",
"users"."admin_email_unsubscribed_at",
"users"."notification_email",
"users"."hide_no_password",
"users"."password_automatically_set",
"users"."encrypted_otp_secret",
"users"."encrypted_otp_secret_iv",
"users"."encrypted_otp_secret_salt",
"users"."otp_required_for_login",
"users"."otp_backup_codes",
"users"."public_email",
"users"."dashboard",
"users"."project_view",
"users"."consumed_timestep",
"users"."layout",
"users"."hide_project_limit",
"users"."note",
"users"."unlock_token",
"users"."otp_grace_period_started_at",
"users"."external",
"users"."incoming_email_token",
"users"."auditor",
"users"."require_two_factor_authentication_from_group",
"users"."two_factor_grace_period",
"users"."last_activity_on",
"users"."notified_of_own_activity",
"users"."preferred_language",
"users"."email_opted_in",
"users"."email_opted_in_ip",
"users"."email_opted_in_source_id",
"users"."email_opted_in_at",
"users"."theme_id",
"users"."accepted_term_id",
"users"."feed_token",
"users"."private_profile",
"users"."roadmap_layout",
"users"."include_private_contributions",
"users"."commit_email",
"users"."group_view",
"users"."managing_group_id",
"users"."first_name",
"users"."last_name",
"users"."static_object_token",
"users"."role",
"users"."user_type",
"users"."static_object_token_encrypted",
"users"."otp_secret_expires_at",
"users"."onboarding_in_progress"
FROM "users"
WHERE "users"."id" = 4473655
https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/14794/commands/51720
Time: 30.446 ms
- planning: 5.789 ms
- execution: 24.657 ms
- I/O read: 24.339 ms
- I/O write: 0.000 ms
Shared buffers:
- hits: 0 from the buffer pool
- reads: 4 (~32.00 KiB) from the OS file cache, including disk I/O
- dirtied: 1 (~8.00 KiB)
- writes: 0
How to set up and validate locally
- Run a pipeline on a sample project (https://gitlab.com/gitlab-examples/security/security-reports).
- Dismiss one or more vulnerabilities
Test query on dismissed security findings and non-dismissed security findings:
query {
project(fullPath:"<project path>") {
pipeline(iid:"<pipeline iid>") {
securityReportFindings(state: [DISMISSED]) {
nodes {
uuid
dismissedAt
dismissedBy {
name
}
dismissalReason
stateComment
}
}
}
}
}
Test query on non-dismissed security findings:
query {
project(fullPath:"<project path>") {
pipeline(iid:"<pipeline iid>") {
securityReportFindings(state: [DETECTED]) {
nodes {
uuid
dismissedAt
dismissedBy {
name
}
dismissalReason
stateComment
}
}
}
}
}
Test query on a dismissed security finding and a non-dismissed security finding (use previous queries for examples):
query {
project(fullPath:"<project path>") {
pipeline(iid:"<pipeline iid>") {
securityReportFinding(uuid:"<uuid>") {
dismissedAt
dismissedBy {
name
}
dismissalReason
stateComment
}
}
}
}
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #387865 (closed)