[graphql] Convert to using the new query interpreter runtime

What does this MR do?

Convert to using the GraphQL - Interpreter

Going straight to the latest, 1.13.12

Related to: #210556 (closed)

Screenshots

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.

.gitlab/ci/review-apps/dast.gitlab-ci.yml

@@ -5,12 +5,12 @@
   extends:
     - .reports:rules:schedule-dast
   image:
-    name: "registry.gitlab.com/security-products/dast:$DAST_VERSION"
+    name: "${REGISTRY_HOST}/security-products/dast:$DAST_VERSION"
   resource_group: dast_scan
   variables:
     DAST_USERNAME_FIELD: "user[login]"
     DAST_PASSWORD_FIELD: "user[password]"
-    DAST_SUBMIT_FIELD: "commit"
+    DAST_SUBMIT_FIELD: "name:button"
     DAST_FULL_SCAN_ENABLED: "true"
     DAST_VERSION: 2
     GIT_STRATEGY: none
@@ -28,7 +28,7 @@
   needs: ["review-deploy"]
   stage: dast
   # Default job timeout set to 90m and dast rules needs 2h to so that it won't timeout.
-  timeout: 2h
+  timeout: 3h
   # Add retry because of intermittent connection problems. See https://gitlab.com/gitlab-org/gitlab/-/issues/244313
   retry: 1
   artifacts:
@@ -42,149 +42,65 @@
 # DAST scan with a subset of Release scan rules.
 # ZAP rule details can be found at https://www.zaproxy.org/docs/alerts/
 
-# 10019, 10021	Missing security headers
-# 10023, 10024, 10025, 10037 Information Disclosure
-# 10040	Secure Pages Include Mixed Content
-# 10056	X-Debug-Token Information Leak
-# Duration: 14 minutes 20 seconds
-
-dast:secureHeaders-csp-infoLeak:
+dast:anti-clickjacking-header:
   extends:
     - .dast_conf
   variables:
     DAST_USERNAME: "user1"
-    DAST_ONLY_INCLUDE_RULES: "10019,10021,10023,10024,10025,10037,10040,10056"
+    DAST_ONLY_INCLUDE_RULES: "10020"
   script:
     - /analyze
 
-# 90023	XML External Entity Attack
-# Duration: 41 minutes 20 seconds
-# 90019	Server Side Code Injection
-# Duration: 34 minutes 31 seconds
-dast:XXE-SrvSideInj:
+dast:xss-persistant:
   extends:
     - .dast_conf
   variables:
     DAST_USERNAME: "user2"
-    DAST_ONLY_INCLUDE_RULES: "90023,90019"
+    DAST_ONLY_INCLUDE_RULES: "40014"
   script:
     - /analyze
 
-# 0	Directory Browsing
-# 2	Private IP Disclosure
-# 3	Session ID in URL Rewrite
-# 7	Remote File Inclusion
-# Duration: 63 minutes 43 seconds
-# 90034 Cloud Metadata Potentially Exposed
-# Duration: 13 minutes 48 seconds
-# 90022	Application Error Disclosure
-# Duration: 12 minutes 7 seconds
-dast:infoLeak-fileInc-DirBrowsing:
+dast:insecure-http-method:
   extends:
     - .dast_conf
   variables:
     DAST_USERNAME: "user3"
-    DAST_ONLY_INCLUDE_RULES: "0,2,3,7,90034,90022"
+    DAST_ONLY_INCLUDE_RULES: "90028"
   script:
     - /analyze
 
-# 10010	Cookie No HttpOnly Flag
-# 10011	Cookie Without Secure Flag
-# 10017	Cross-Domain JavaScript Source File Inclusion
-# 10029	Cookie Poisoning
-# 90033	Loosely Scoped Cookie
-# 10054	Cookie Without SameSite Attribute
-# Duration: 13 minutes 23 seconds
-dast:insecureCookie:
+dast:server-side-template-inj:
   extends:
     - .dast_conf
   variables:
     DAST_USERNAME: "user4"
-    DAST_ONLY_INCLUDE_RULES: "10010,10011,10017,10029,90033,10054"
+    DAST_ONLY_INCLUDE_RULES: "90035"
   script:
     - /analyze
 
-
-# 20012	Anti-CSRF Tokens Check
-# 10202	Absence of Anti-CSRF Tokens
-# https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/192
-
-# Commented because of lot of FP's
-# dast:csrfTokenCheck:
-#   extends:
-#     - .dast_conf
-#   variables:
-#     DAST_USERNAME: "user6"
-#     DAST_ONLY_INCLUDE_RULES: "20012,10202"
-#   script:
-#     - /analyze
-
-# 10098	Cross-Domain Misconfiguration
-# 10105	Weak Authentication Method
-# 40003	CRLF Injection
-# 40008	Parameter Tampering
-# Duration: 71 minutes 15 seconds
-dast:corsMisconfig-weakauth-crlfInj:
+dast:server-side-template-inj-blind:
   extends:
     - .dast_conf
   variables:
     DAST_USERNAME: "user5"
-    DAST_ONLY_INCLUDE_RULES: "10098,10105,40003,40008"
+    DAST_ONLY_INCLUDE_RULES: "90035"
   script:
     - /analyze
 
-# 20019 External Redirect
-# 20014	HTTP Parameter Pollution
-# Duration: 46 minutes 12 seconds
-dast:extRedirect-paramPollution:
+dast:session-fixation:
   extends:
     - .dast_conf
   variables:
     DAST_USERNAME: "user6"
-    DAST_ONLY_INCLUDE_RULES: "20019,20014"
-  script:
-    - /analyze
-
-# 40022 SQL Injection - PostgreSQL
-# Duration: 53 minutes 59 seconds
-dast:sqlInjection:
-  extends:
-    - .dast_conf
-  variables:
-    DAST_USERNAME: "user7"
-    DAST_ONLY_INCLUDE_RULES: "40022"
-  script:
-    - /analyze
-
-# 40014	Cross Site Scripting (Persistent)
-# Duration: 21 minutes 50 seconds
-dast:xss-persistent:
-  extends:
-    - .dast_conf
-  variables:
-    DAST_USERNAME: "user8"
-    DAST_ONLY_INCLUDE_RULES: "40014"
-  script:
-    - /analyze
-
-# 40012 Cross Site Scripting (Reflected)
-# Duration: 73 minutes 15 seconds
-dast:xss-reflected:
-  extends:
-    - .dast_conf
-  variables:
-    DAST_USERNAME: "user9"
-    DAST_ONLY_INCLUDE_RULES: "40012"
+    DAST_ONLY_INCLUDE_RULES: "40013"
   script:
     - /analyze
 
-# 40013	Session Fixation
-# Duration: 44 minutes 25 seconds
-dast:sessionFixation:
+dast:xss-dombased:
   extends:
     - .dast_conf
   variables:
     DAST_USERNAME: "user10"
-    DAST_ONLY_INCLUDE_RULES: "40013"
+    DAST_ONLY_INCLUDE_RULES: "40026"
   script:
     - /analyze