Skip to content

Add OWASP filter to vulnerabilities report GraphQL API's

Bala Kumar requested to merge 432618-include-owasp-filter-to-vulnerabilityseveritiescount into master

What does this MR do and why?

Add's owaspTop10 filter to GraphQL API's: project.vulnerabilitySeveritiesCount and project.vulnerabilities. For group level vulnerability report, is disabled with FF #437253 and can be unblocked after closing #432715 (closed)

GraphQL

  1. project.vulnerabilitySeveritiesCount filter:
query {
  project(fullPath: "root/owasp-top-10-grouping-test") {
    vulnerabilitySeveritiesCount(owaspTop10: [A1_2017, A2_2017, A3_2017, A4_2017, A5_2017, A6_2017, A7_2017, A8_2017, A9_2017, A10_2017]) {
      critical
      high
      info
      low
      medium
      unknown
    }
  }
}
  1. project.vulnerabilities filter:
query {
  project(fullPath: "root/owasp-top-10-grouping-test") {
    vulnerabilities(owaspTop10: [A1_2017, A2_2017, A3_2017, A4_2017, A5_2017, A6_2017, A7_2017, A8_2017, A9_2017, A10_2017]) {
      nodes {
        id
        identifiers {
          externalId
          externalType
          name
          url
        }
      }
    }
  }
}

Database

  1. Query to be executed from UI to vulnerabilitySeveritiesCount GraphQL API:
SELECT
    count(*) AS count_all,
    vulnerability_reads.severity AS vulnerability_reads_severity
FROM
    vulnerability_reads
WHERE
    vulnerability_reads.project_id = 278964 AND
    vulnerability_reads.report_type IN ( 6, 2, 5, 3, 1, 0, 4, 99 ) AND
    vulnerability_reads.owasp_top_10 = 4 AND
    vulnerability_reads.resolved_on_default_branch = false
GROUP BY
    vulnerability_reads.severity
ORDER BY
    vulnerability_reads.severity DESC;
  1. Query to be executed from UI to vulnerabilities GraphQL API:
SELECT
    vulnerability_reads.*
FROM
    vulnerability_reads
WHERE
    vulnerability_reads.project_id = 278964 AND
    vulnerability_reads.owasp_top_10 = 13 AND
    vulnerability_reads.report_type IN ( 6, 2, 5, 3, 1, 0, 4, 99 ) AND
    vulnerability_reads.state IN ( 1, 4 ) AND
    vulnerability_reads.resolved_on_default_branch = false
ORDER BY
    vulnerability_reads.severity DESC,
    vulnerability_reads.vulnerability_id DESC
LIMIT 21;

Index to support the above queries are already implemented and performance details of these queries are available in !141045 (merged)

Screenshots or screen recordings

1.Screenshot_2024-01-09_at_4.30.22_PM

2.Screenshot_2024-01-09_at_4.31.35_PM

How to set up and validate locally

  1. Import project https://gitlab.com/bala.kumar/verify-owasp-top-10-grouping into local and run pipeline for the main branch.
  2. It will create the one vulnerability for each of owasp_top_10 labels respectively.
  3. Run the above GraphQL queries on GraphiQL and we should get the results as shared in above screenshots.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #432618 (closed)

Edited by Brian Williams

Merge request reports