Skip to content

Backend - Display validity check in MR security modal

Serena Fangrequested to merge
add-finding-token-status-pipeline-security-report-finding-type into master

What does this MR do and why?

Branched off of !197549 (merged), which adds findingTokenStatus to PipelineSecurityReportFindingType

  • In order to display the Validity Check status on the MR security modal, we need to expose findingTokenStatus on PipelineSecurityReportFindingType, which is what getSecurityReportFinding query uses to render data in the MR modal UI.
  • Currently, we're only running UpdateTokenStatusWorker on default branch pipelines and not MR pipelines. This MR calls UpdateTokenStatusWorker from ScanSecurityReportSecretsWorker to also handle MR findings.
  • However, MR pipelines only produce Security::Finding records, rather than Vulnerability records, because these MR findings are not present in the default branch of the project. Only default branch pipelines produce Vulnerabilities::Findings.
  • findingTokenStatus is tied to Vulnerabilities::Finding, not Security::Finding. So in order to access findingTokenStatus, we need to ensure a corresponding Vulnerabilities::Finding exists and look it up.
  • To do this, we need to run IngestReportService for MR pipelines as well, so there is a Vulnerabilities::Finding for each Security::Finding for the MR security scan. For each newly created Vulnerabilities::Finding, set present_on_default_branch: false so it doesn't show up in the project Vulnerability Report page.
  • Once these Vulnerabilities::Finding records exist, the resolver can return a findingTokenStatus.
  • getSecurityReportFinding query returns PipelineSecurityReportFinding objects, not Vulnerabilities::Finding. So after running ingestion, the frontend still receives PipelineSecurityReportFinding.
  • So we have to update FindingTokenStatusResolver to receive either a Vulnerabilities::Finding (from the default branch) or a PipelineSecurityReportFinding (from an MR pipeline). For PipelineSecurityReportFinding, look up the corresponding Vulnerabilities::Finding (created during ingestion) by uuid , and return the linked token status.

We'll add the frontend graphql fragment and the token validity status badge in this MR: !197546

References

Screenshots or screen recordings

Before After

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Serena Fang

Merge request reports