GraphQL query for component dependency path
What does this MR do and why?
We currently have no way to expose an ancestor dependency path for a component. This MR introduces a GraphQL query to retrieve this information at the Project level for a given component.
- Addresses #520564 (closed)
- Contributes to: &16815 (closed)
Query explain plan ("worst case"): https://console.postgres.ai/gitlab/gitlab-production-main/sessions/36595/commands/112823
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
How to set up and validate locally
- In rails console:
Feature.enable(:dependency_graph_graphql)
- Ensure you have a project in your GDK that has completed a successful dependency scan.
- This scanner must populate the "dependsOn" fields in the cyclonedx format.
- You can use this report to get examples with cyclic and non-cyclic paths: dependency-scanning.json
- Create a
.gitlab.yml
stub job to import this report:
gemnasium-dependency_scanning:
script:
- echo NOOP
artifacts:
reports:
cyclonedx: path/to/dependency-scanning.json
-
Navigate to
gdk.test:3000/-/graphql-explorer
-
Run the following query to find the relevant Component IDs
query projectQuery { project(fullPath: "gitlab/security") { components { name id } } }
-
Run the following query (changing ID values as appropriate for your project.
query projectQuery { project(fullPath: "gitlab/security") { dependencyPaths(component: "gid://gitlab/Sbom::Component/1100" ) { path { name, version }, isCyclic, maxDepthReached } } }
The following components are good to test:
-
@babel/core
- the tree is large. -
@gitlab/ryan-a
- cyclic. -
@gitlab/ryan-e
- mix of cyclic and non-cyclic.
Edited by Lucas Charles