Skip to content

Draft:[PoC only]Add vulnerabilities to dependencies

Zamir Martins requested to merge add_vulnerabilities_to_dependencies into master

What does this MR do and why?

Add vulnerabilities to dependencies. POC only.

Related issue: #422258 (closed)

Some of the missing changes:

  • app/graphql/gitlab_schema.rb to_global_id will have to be added unless another type is used.
  • this code isn't DRY
  • this code doesn't have specs
  • FF related code hasn't been included
  • DB indices have not been included

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
Screenshot_2023-09-15_at_19.29.32 Screenshot_2023-09-15_at_18.33.08

Graphql

query {
  project(fullPath:"sbom-group/nested-group/another-group"){
    dependencies(sort: NAME_ASC, componentNames: ["git"]) {
      nodes{
        name
        packager
        version
        vulnerabilities{
          id
          url
          name
          severity
        }
      }
    }
  }
}
{
  "data": {
    "project": {
      "dependencies": {
        "nodes": [
          {
            "name": "git",
            "packager": "BUNDLER",
            "version": "1.11.0",
            "vulnerabilities": [
              {
                "id": "558",
                "url": "http://gdk.test:3000/sbom-group/nested-group/another-group/-/security/vulnerabilities/558",
                "name": "Improper Control of Generation of Code ('Code Injection')",
                "severity": "high"
              },
              {
                "id": "560",
                "url": "http://gdk.test:3000/sbom-group/nested-group/another-group/-/security/vulnerabilities/560",
                "name": "Improper Control of Generation of Code ('Code Injection')",
                "severity": "high"
              }
            ]
          },
          {
            "name": "git",
            "packager": "BUNDLER",
            "version": "1.11.0",
            "vulnerabilities": [
              {
                "id": "1150",
                "url": "http://gdk.test:3000/sbom-group/nested-group/another-group/-/security/vulnerabilities/1150",
                "name": "Improper Control of Generation of Code ('Code Injection')",
                "severity": "high"
              },
              {
                "id": "1151",
                "url": "http://gdk.test:3000/sbom-group/nested-group/another-group/-/security/vulnerabilities/1151",
                "name": "Improper Control of Generation of Code ('Code Injection')",
                "severity": "high"
              }
            ]
          }
        ]
      }
    }
  }
}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Zamir Martins

Merge request reports