Add missing scanner field to findingReportsComparer
What does this MR do and why?
This adds the missing scanner field in findingReportsComparer type to make the vulnerability scanner information available.
Feature flag
Please also note that, all changes in this merge request are behind sast_reports_in_inline_diff feature flag (roll-out issue).
Resolves #430864 (closed).
How to set up and validate locally
- Enable SAST in one of the projects you have.
- Create a merge request with some vulnerable code, e.g. Add
vuln.escapeMarkup = false;in ajavascriptfile. - Wait until the SAST report is generated.
- Try to load the merge request security reports via GraphQL using the query below in graphql-explorer:
query getMRCodequalityAndSecurityReports {
project(fullPath: "PROJECT_FULL_PATH") {
id
mergeRequest(iid: "MERGE_REQUEST_ID") {
id
title
project {
nameWithNamespace
fullPath
}
hasSecurityReports
sastReport: findingReportsComparer(reportType: SAST) {
status
report {
added {
identifiers {
externalId
externalType
name
url
}
uuid
title
location
description
state
severity
scanner {
name
externalId
vendor
}
foundByPipelineIid
location {
... on VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
}
}
}
}
}
}
}Do not forget to replace MERGE_REQUEST_ID with the merge request id, and PROJECT_FULL_PATH with the :namespace/:project path of your project.
- Verify
scannerunderfindingReportsComparerreturns the correct information about the vulnerability scanner.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Ahmed Hemdan