Skip to content

Draft: Include `dismissed` by default for `Pipeline.securityReportFindings`

Michael Becker requested to merge 422542-pipeline-securityreportfindings-does-not-return-all-expected-results-2 into master

What does this MR do and why?

The existing behavior is to only return non-dismissed vulnerabilities in the Pipeline.securityReportFindings graphQL query

We now want to include ALL vulnerabilities, regardless of state. To get a response excluding the dismissed vulnerabilities you will now need to filter with a query something like:

query VulnerabilityFindings {
  project(fullPath: "path/to/project") {
    pipeline(iid: 1) {
        securityReportFindings(state: [DETECTED, CONFIRMED, RESOLVED]) {
          nodes {
            description
            state
          }
        }
    }
  }
}

resolves: #422542 (closed)

Changelog: changed
EE: true

Screenshots or screen recordings

Before After
image image

How to set up and validate locally

  1. Create a new project.
  2. Add a README.md file with the following content: 
    https://username:password@gitlab.com/test-group/project.git
https://username:password@github.com/test-group/project.git
  3. Add a .gitlab-ci.yml file with the following content: 
    include:
    - template: 'Jobs/Secret-Detection.latest.gitlab-ci.yml'
  4. Run a pipeline.
  5. Visit the project Vulnerability report page
  6. Change the status of one of the vulnerabilities to Dismissed.
  7. Visit the /-/graphql-explorer
  8. Execute a query like: 
    query VulnerabilityFindings {
  project(fullPath: "gitlab-org/vuln-bug") {
    pipeline(iid: 3) {
        securityReportFindings {
          nodes {
            description
            state 
          }
        }
    }
  }
}
  9. you should see the dismissed vulnerability in the response
  10. Execute a query like: 
    query VulnerabilityFindings {
  project(fullPath: "gitlab-org/vuln-bug") {
    pipeline(iid: 3) {
        securityReportFindings(state: [DETECTED, CONFIRMED, RESOLVED]) {
          nodes {
            description
            state 
          }
        }
    }
  }
}
  11. the dismissed vulnerability should be excluded from the response

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Michael Becker

Merge request reports