Update the GraphQL Query owasp top 10 filter

What does this MR do and why?

Adds none filter value to the GraphQL argument owasp_top_ten for the fields

• Project.vulnerabilities / Group.vulnerabilities and
• Project.vulnerabilitySeveritiesCount / Group.vulnerabilitySeveritiesCount

This GraphQL API addition will be used by the frontend issue to show the Non-Owasp top 10 category as per the design here

Database

Project level report: Uses the same Index that we already created in !141045 (merged) which the other owasp_top_10 (not null) values use.

1. Query to be executed from Project level report UI to vulnerabilitySeveritiesCount GraphQL API:

SELECT
    count(*) AS count_all,
    vulnerability_reads.severity AS vulnerability_reads_severity
FROM
    vulnerability_reads
WHERE
    vulnerability_reads.project_id = 27038823 AND
    vulnerability_reads.report_type IN ( 6, 2, 5, 3, 1, 0, 4, 99 ) AND
    vulnerability_reads.owasp_top_10 is NULL AND
    vulnerability_reads.resolved_on_default_branch = false
GROUP BY
    vulnerability_reads.severity
ORDER BY
    vulnerability_reads.severity DESC;

DB Lab: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28296/commands/88323

2. Query to be executed from Project level report UI to vulnerabilities GraphQL API:

SELECT
    vulnerability_reads.*
FROM
    vulnerability_reads
WHERE
    vulnerability_reads.project_id = 27038823 AND
    vulnerability_reads.owasp_top_10 is NULL AND
    vulnerability_reads.report_type IN ( 6, 2, 5, 3, 1, 0, 4, 99 ) AND
    vulnerability_reads.state IN ( 1, 4 ) AND
    vulnerability_reads.resolved_on_default_branch = false
ORDER BY
    vulnerability_reads.severity DESC,
    vulnerability_reads.vulnerability_id DESC
LIMIT 101;

DB Lab: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/28296/commands/88325

Group level report:

vulnerability_owasp_top_10_group FF is currently disabled and index creation for it is tracked in #458454 (closed). Query performance for the group level report will be in the scope of index creation issue, have included a note on that issue description.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

vulnerabilities	vulnerabilitySeveritiesCount

How to set up and validate locally

1. Import project into local https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/verify-owasp-top-10-grouping
2. Run the pipeline on the master branch for the imported project which will populate the vulnerabilities.
3. Open GraphIQL explorer and run the below queries to validate.
4. vulnerabilities: Should give a result with 1 vulnerability with uuid 461abacb-cb2b-4d5d-9c0b-636b10bb7f59

query {
  project(fullPath: "<project_path>") {
    vulnerabilities(owaspTopTen: [NONE]) {
      nodes {
        id
        severity
        uuid
      }
    }
  }
}

5. vulnerabilitySeveritiesCount: Should give a result with 1 low severity vulnerability.

query {
  project(fullPath: "<project_path>") {
    vulnerabilitySeveritiesCount(owaspTopTen: [NONE]) {
      critical
      high
      info
      low
      medium
      unknown
    }
  }
}

6. Changing the argument to owaspTopTen: [NONE, A1_2017] should give validation errors as shown in the screenshots above as well.

Related to #442526 (closed)

changed milestone to %16.10

added Category:Vulnerability Management Threat InsightsNavy backend devopsgovern featureenhancement groupthreat insights sectionsec typefeature workflowin dev labels

assigned to @bala.kumar

changed title from Draft: Resolve "Update the GraphQL Query to return Other vulnerabilities for OWASP Top 10" to Draft: Update the GraphQL Query to return Other vulnerabilities for OWASP Top 10

changed milestone to %16.11

added missed:16.10 label

added 2669 commits

• 0117c57a...f5bfdad7 - 2669 commits from branch master

Compare with previous version

added 459 commits

• f5bfdad7...4be34127 - 459 commits from branch master

Compare with previous version

changed milestone to %17.0

added missed:16.11 label

added 7075 commits

• 4be34127...caf9cff3 - 7074 commits from branch master
• 9bd2988d - Include none argument owasp_top_10 filter

Compare with previous version

added database databasereview pending labels

	1 Message
	This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge.

Documentation review

The following files require a review from a technical writer:

• doc/api/graphql/reference/index.md (Link to current live version)

The review does not need to block merging this merge request. See the:

• Metadata for the *.md files that you've changed. The first few lines of each *.md file identify the stage and group most closely associated with your docs change.
• The Technical Writer assigned for that stage and group.
• Documentation workflows for information on when to assign a merge request for review.

Reviewer roulette

Category	Reviewer	Maintainer
backend	@ibaum (UTC-5, 10.5 hours behind author)	@tachyons-gitlab (UTC+5.5, same timezone as author)
database	@bwill (UTC-5, 10.5 hours behind author)	@Quintasan (UTC+2, 3.5 hours behind author)

Please check reviewer's status!

• Reviewer is available!
• Reviewer is unavailable!

Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.

If needed, you can retry the danger-review job that generated this comment.

Generated by Danger

changed title from Draft: Update the GraphQL Query to return Other vulnerabilities for OWASP Top 10 to Draft: Update the GraphQL Query owasp top 10 filter

added 1 commit

• 676c918b - Include none argument owasp_top_10 filter

Compare with previous version

added documentation label

added 1 commit

• 8d90e442 - Include none argument owasp_top_10 filter

Compare with previous version

added 813 commits

• 8d90e442...79f909df - 812 commits from branch master
• 78ebc469 - Include none argument owasp_top_10 filter

Compare with previous version

added pipelinetier-1 label

added 1 commit

• 915d915b - Include none argument owasp_top_10 filter

Compare with previous version

added 1 commit

• 8b1a6963 - Include none argument owasp_top_10 filter

Compare with previous version

added 1 commit

• 255e1176 - Include none argument owasp_top_10 filter

Compare with previous version

added 1 commit

• b2e12d09 - Include none argument owasp_top_10 filter

Compare with previous version

changed the description

changed the description

@ddieulivol Can you look at this one for backend review.

requested review from @ddieulivol

marked this merge request as ready

approved this merge request

requested review from @nicolasdular and removed review request for @ddieulivol

added pipeline:mr-approved label

@ddieulivol, thanks for approving this merge request.

This is the first time the merge request has been approved. To ensure we don't only run predictive pipelines, and we don't break master, a new pipeline will be started shortly.

Please wait for the pipeline to start before resolving this discussion and set auto-merge for the new pipeline. See merging a merge request for more details.

added pipelinetier-2 label and removed pipelinetier-1 label

added pipelinetier-2 label and removed pipelinetier-1 label

E2E Test Result Summary

allure-report-publisher generated test report!

e2e-test-on-gdk: test report for 645e4bdf

expand test summary

+------------------------------------------------------------------+
|                          suites summary                          |
+-------------+--------+--------+---------+-------+-------+--------+
|             | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| Create      | 125    | 0      | 10      | 93    | 135   | ✅     |
| Package     | 19     | 0      | 12      | 19    | 31    | ✅     |
| Verify      | 30     | 0      | 2       | 29    | 32    | ✅     |
| Govern      | 128    | 0      | 2       | 82    | 130   | ✅     |
| Plan        | 54     | 0      | 2       | 47    | 56    | ✅     |
| Analytics   | 1      | 0      | 1       | 0     | 2     | ✅     |
| Data Stores | 31     | 0      | 0       | 22    | 31    | ✅     |
| Manage      | 0      | 0      | 1       | 0     | 1     | ➖     |
| Monitor     | 8      | 0      | 0       | 7     | 8     | ✅     |
| Release     | 5      | 0      | 0       | 5     | 5     | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+
| Total       | 401    | 0      | 30      | 304   | 431   | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+

e2e-package-and-test: test report for 645e4bdf

expand test summary

+------------------------------------------------------------------+
|                          suites summary                          |
+-------------+--------+--------+---------+-------+-------+--------+
|             | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| Govern      | 180    | 0      | 18      | 0     | 198   | ✅     |
| Create      | 46     | 0      | 6       | 0     | 52    | ✅     |
| Verify      | 8      | 0      | 2       | 0     | 10    | ✅     |
| Package     | 6      | 0      | 8       | 0     | 14    | ✅     |
| Plan        | 44     | 0      | 4       | 0     | 48    | ✅     |
| Monitor     | 8      | 0      | 0       | 0     | 8     | ✅     |
| Data Stores | 22     | 0      | 0       | 0     | 22    | ✅     |
| Release     | 2      | 0      | 0       | 0     | 2     | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+
| Total       | 316    | 0      | 38      | 0     | 354   | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+

changed milestone to %17.1

added missed:17.0 label

requested review from @suraj_tripathy

added 1 commit

• fbff7b4f - Include none argument owasp_top_10 filter

Compare with previous version

reset approvals from @ddieulivol by pushing to the branch

added 225 commits

• fbff7b4f...099cef1b - 224 commits from branch master
• 8c5ee377 - Include none argument owasp_top_10 filter

Compare with previous version

removed pipeline:mr-approved label