Skip to content

GraphQL query for component dependency path

What does this MR do and why?

We currently have no way to expose an ancestor dependency path for a component. This MR introduces a GraphQL query to retrieve this information at the Project level for a given component.

Query explain plan ("worst case"): https://console.postgres.ai/gitlab/gitlab-production-main/sessions/36595/commands/112823

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshot 2025-02-24 at 11.23.42.png

How to set up and validate locally

  • In rails console: Feature.enable(:dependency_graph_graphql)
  • Ensure you have a project in your GDK that has completed a successful dependency scan.
    • This scanner must populate the "dependsOn" fields in the cyclonedx format.
    • You can use this report to get examples with cyclic and non-cyclic paths: dependency-scanning.json
  • Create a .gitlab.yml stub job to import this report:
gemnasium-dependency_scanning:
  script:
    - echo NOOP
  artifacts:
    reports:
      cyclonedx: path/to/dependency-scanning.json
  • Navigate to gdk.test:3000/-/graphql-explorer

  • Run the following query to find the relevant Component IDs

    query projectQuery {
      project(fullPath: "gitlab/security") {
        components {
          name
          id
        }
      }
    }
  • Run the following query (changing ID values as appropriate for your project.

    query projectQuery {
      project(fullPath: "gitlab/security") {
        dependencyPaths(component: "gid://gitlab/Sbom::Component/1100" ) {
          path {
            name,
            version
          },
          isCyclic,
          maxDepthReached
        }
      }
    }

The following components are good to test:

  1. @babel/core - the tree is large.
  2. @gitlab/ryan-a - cyclic.
  3. @gitlab/ryan-e - mix of cyclic and non-cyclic.
Edited by Lucas Charles

Merge request reports

Loading