Draft: Short circuit vulns resolver when unavailable
What does this MR do and why?
This change modifies Resolvers::VulnerabilitiesResolver to short
circuit with an empty result if the :security_dashboard feature is
unavailable.
This fixes an edge case where GQL endpoint returns hasNextPage: true
in the pagination data, but returns an empty result set.
This can occur on a project that previously had this licensed feature
available, and has vulnerabilities, but the licensed feature is now
turned off.
This happens because the resolver loads the vulnerabilities, but they
are all subsequently redacted.
The check for hasNextPage happens independently of the redaction.
How to set up and validate locally
Your installation will need to have some vulnerabilities present.
Apply the following patch to simulate the :security_dashboard licensed feature being unavailable
diff --git a/ee/app/models/license.rb b/ee/app/models/license.rb
index 94b48382ea09..90287c5e99ea 100644
--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -75,6 +75,8 @@ def block_changes?
def feature_available?(feature)
# Include features available per plan + usage ping features if Usage Pings is enabled
# as instance setting.
+ return false if feature == :security_dashboard
+
!!current&.feature_available?(feature) ||
GitlabSubscriptions::Features.usage_ping_feature?(feature)
end- Run this GraphQL query on
master
{
vulnerabilities(first: 10) {
nodes {
id
title
}
pageInfo {
endCursor
hasNextPage
}
}
}- You should see the following result, note result set is empty but
hasNextPageistrue
{
"data": {
"vulnerabilities": {
"nodes": [],
"pageInfo": {
"endCursor": null,
"hasNextPage": true
}
}
}
}- Switch to this MR branch
- Repeat the query above, you should see the following result with
hasNextPage: false
{
"data": {
"vulnerabilities": {
"nodes": [],
"pageInfo": {
"endCursor": null,
"hasNextPage": false
}
}
}
}Related to #433513