Update the GraphQL Query owasp top 10 filter
What does this MR do and why?
Adds none
filter value to the GraphQL argument owasp_top_ten
for the fields
- Project.vulnerabilities / Group.vulnerabilities and
- Project.vulnerabilitySeveritiesCount / Group.vulnerabilitySeveritiesCount
This GraphQL API addition will be used by the frontend issue to show the Non-Owasp top 10 category as per the design here
Database
Project level report:
Uses the same Index that we already created in !141045 (merged) which the other owasp_top_10
(not null) values use.
- Query to be executed from Project level report UI to
vulnerabilitySeveritiesCount
GraphQL API:
SELECT
count(*) AS count_all,
vulnerability_reads.severity AS vulnerability_reads_severity
FROM
vulnerability_reads
WHERE
vulnerability_reads.project_id = 27038823 AND
vulnerability_reads.report_type IN ( 6, 2, 5, 3, 1, 0, 4, 99 ) AND
vulnerability_reads.owasp_top_10 is NULL AND
vulnerability_reads.resolved_on_default_branch = false
GROUP BY
vulnerability_reads.severity
ORDER BY
vulnerability_reads.severity DESC;
DB Lab: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28296/commands/88323
- Query to be executed from Project level report UI to
vulnerabilities
GraphQL API:
SELECT
vulnerability_reads.*
FROM
vulnerability_reads
WHERE
vulnerability_reads.project_id = 27038823 AND
vulnerability_reads.owasp_top_10 is NULL AND
vulnerability_reads.report_type IN ( 6, 2, 5, 3, 1, 0, 4, 99 ) AND
vulnerability_reads.state IN ( 1, 4 ) AND
vulnerability_reads.resolved_on_default_branch = false
ORDER BY
vulnerability_reads.severity DESC,
vulnerability_reads.vulnerability_id DESC
LIMIT 101;
DB Lab: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28296/commands/88325
Group level report:
vulnerability_owasp_top_10_group
FF is currently disabled and index creation for it is tracked in #458454. Query performance for the group level report will be in the scope of index creation issue, have included a note on that issue description.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
vulnerabilities | vulnerabilitySeveritiesCount |
---|---|
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
How to set up and validate locally
- Import project into local https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/verify-owasp-top-10-grouping
- Run the pipeline on the master branch for the imported project which will populate the vulnerabilities.
- Open GraphIQL explorer and run the below queries to validate.
-
vulnerabilities: Should give a result with 1 vulnerability with uuid
461abacb-cb2b-4d5d-9c0b-636b10bb7f59
query {
project(fullPath: "<project_path>") {
vulnerabilities(owaspTopTen: [NONE]) {
nodes {
id
severity
uuid
}
}
}
}
- vulnerabilitySeveritiesCount: Should give a result with 1 low severity vulnerability.
query {
project(fullPath: "<project_path>") {
vulnerabilitySeveritiesCount(owaspTopTen: [NONE]) {
critical
high
info
low
medium
unknown
}
}
}
- Changing the argument to
owaspTopTen: [NONE, A1_2017]
should give validation errors as shown in the screenshots above as well.
Related to #442526 (closed)