Skip to content

Update FindingType include location and identifiers fields

Ahmed Hemdan requested to merge update-graphql-finding-type-to-include-location-and-identifiers into master

What does this MR do and why?

This merge request updates Types::Security::FindingReportsComparer::FindingType to include two fields:

  • location
  • identifiers

Both fields are to be used by frontend to display details of a detected vulnerability as per the current design (see mockup).

Please note that: the fields are only returned when the feature flag sast_reports_in_inline_diff is enabled, which was used previously for a related feature but didn't see the light as a result of a redesign. The feature flag was agreed to be used for any backend changes created to support inclusion of SAST findings in MR changes tab, and has a corresponding rollout issue, but is unlikely to be rolled out until #418831 (closed) is finished and the rest of iteration 1 is done.

Resolves #418832 (closed).

How to set up and validate locally

  • Enable SAST in one of the projects you have.
  • Create a merge request with some vulnerable code, e.g. Add vuln.escapeMarkup = false; in a javascript file.
  • Wait until the SAST report is generated.
  • Try to load the merge request security reports via GraphQL using the query below in graphql-explorer:
query getMRSecurityReport {
  project(fullPath: "PROJECT_FULL_PATH") {
    mergeRequest(iid: "MERGE_REQUEST_ID") {
      title
      hasSecurityReports
      findingReportsComparer(reportType: SAST) {
        status
        report {
          headReportCreatedAt
          baseReportCreatedAt
          baseReportOutOfDate
          added {
            uuid
            title
            description
            state
            severity
            foundByPipelineIid
            location {
              ...on
              VulnerabilityLocationSast {
                file
                startLine
                endLine
                vulnerableClass
                vulnerableMethod
                blobPath
              }
            }
            identifiers
          }
          fixed {
            uuid
            title
            description
            state
            severity
            foundByPipelineIid
            location {
              ...on
              VulnerabilityLocationSast {
                file
                startLine
                endLine
                vulnerableClass
                vulnerableMethod
                blobPath
              }
            }
            identifiers
          }
        }
      }
    }
  }
}

Do not forget to replace MR_ID with the merge request id, and PROJECT_FULL_PATH with the :namespace/:project path of your project.

  • Both fields will return null as the feature flag is disabled.
  • Enabled the feature flag in rails console:
Feature.enable(:sast_reports_in_inline_diff)
  • Restart your GDK and repeat the above graghql query. The response should include populated location and identifiers.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Ahmed Hemdan

Merge request reports