Skip to content

Update the GraphQL Query owasp top 10 filter

Bala Kumar requested to merge 442526-update-the-graphql-query-to-return-other-vulnerabilities into master

What does this MR do and why?

Adds none filter value to the GraphQL argument owasp_top_ten for the fields

This GraphQL API addition will be used by the frontend issue to show the Non-Owasp top 10 category as per the design here

Database

Project level report: Uses the same Index that we already created in !141045 (merged) which the other owasp_top_10 (not null) values use.

  1. Query to be executed from Project level report UI to vulnerabilitySeveritiesCount GraphQL API:
SELECT
    count(*) AS count_all,
    vulnerability_reads.severity AS vulnerability_reads_severity
FROM
    vulnerability_reads
WHERE
    vulnerability_reads.project_id = 27038823 AND
    vulnerability_reads.report_type IN ( 6, 2, 5, 3, 1, 0, 4, 99 ) AND
    vulnerability_reads.owasp_top_10 is NULL AND
    vulnerability_reads.resolved_on_default_branch = false
GROUP BY
    vulnerability_reads.severity
ORDER BY
    vulnerability_reads.severity DESC;

DB Lab: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28296/commands/88323

  1. Query to be executed from Project level report UI to vulnerabilities GraphQL API:
SELECT
    vulnerability_reads.*
FROM
    vulnerability_reads
WHERE
    vulnerability_reads.project_id = 27038823 AND
    vulnerability_reads.owasp_top_10 is NULL AND
    vulnerability_reads.report_type IN ( 6, 2, 5, 3, 1, 0, 4, 99 ) AND
    vulnerability_reads.state IN ( 1, 4 ) AND
    vulnerability_reads.resolved_on_default_branch = false
ORDER BY
    vulnerability_reads.severity DESC,
    vulnerability_reads.vulnerability_id DESC
LIMIT 101;

DB Lab: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28296/commands/88325

Group level report:

vulnerability_owasp_top_10_group FF is currently disabled and index creation for it is tracked in #458454. Query performance for the group level report will be in the scope of index creation issue, have included a note on that issue description.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

vulnerabilities vulnerabilitySeveritiesCount
Screenshot_2024-05-15_at_1.47.49_AM Screenshot_2024-05-15_at_1.47.33_AM
Screenshot_2024-05-15_at_1.48.33_AM Screenshot_2024-05-15_at_1.48.26_AM
Screenshot_2024-05-27_at_7.38.43_PM Screenshot_2024-05-27_at_7.38.31_PM

How to set up and validate locally

  1. Import project into local https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/verify-owasp-top-10-grouping
  2. Run the pipeline on the master branch for the imported project which will populate the vulnerabilities.
  3. Open GraphIQL explorer and run the below queries to validate.
  4. vulnerabilities: Should give a result with 1 vulnerability with uuid 461abacb-cb2b-4d5d-9c0b-636b10bb7f59 
query {
  project(fullPath: "<project_path>") {
    vulnerabilities(owaspTopTen: [NONE]) {
      nodes {
        id
        severity
        uuid
      }
    }
  }
}
  1. vulnerabilitySeveritiesCount: Should give a result with 1 low severity vulnerability.
query {
  project(fullPath: "<project_path>") {
    vulnerabilitySeveritiesCount(owaspTopTen: [NONE]) {
      critical
      high
      info
      low
      medium
      unknown
    }
  }
}
  1. Changing the argument to owaspTopTen: [NONE, A1_2017] should give validation errors as shown in the screenshots above as well.

Related to #442526 (closed)

Edited by Bala Kumar

Merge request reports