Use GraphQL scannerId property for vulnerability report scanner filter
What does this MR do?
On the vulnerability report, there is a scanner filter dropdown that will filter the vulnerability list:
![]() |
In a previous MR, we categorized the options by vendor
-> report type
:
![]() |
but it was found in production that adding the vendor
-> report type
combination to the vulnerabilities GraphQL query caused the request to slow down significantly, to the point that it was consistently timing out.
In #293843 (closed), the backend has added a new scannerId
property to the GraphQL request, which hopefully fixes the performance issue. This MR updates the scanner filter to use the new scannerId
property to search by scanner, instead of the older method which used a combination of reportType
and scanner
.
Please note that this scanner filter is currently behind the :custom_security_scanners
feature flag so that we can verify that it works properly on production. The current scanner filter uses standard_filter.vue
. Once we verify that scanner_filter.vue
works properly, we will replace the current filter with it.
I've added an implementation plan to the original issue, which I'll copy below:
The GraphQL query to retrieve vulnerabilities now has a scannerId
property we can filter on that takes an array:
query {
project(fullPath: "gitlab-org/gitlab") {
vulnerabilities(scannerId: ["gid://gitlab/Vulnerabilities::Scanner/123"]) {
...
}
}
}
The frontend gets a list of scanners from the backend through el.dataset
. The serializer is ee/app/services/vulnerability_scanners/list_service.rb. We need the id
and no longer need external_id
, so the property serialization on line 14 can be changed to:
{
id: scanner.id,
vendor: scanner.vendor,
report_type: ::Enums::Vulnerability.report_types.key(scanner.report_type).upcase
}
end
end
The id
will be just a number:
![]() |
so before we pass the IDs to the vulnerabilities query, we need to append gid://gitlab/Vulnerabilities::Scanner/
to them, i.e. 184
-> gid://gitlab/Vulnerabilities::Scanner/184
.
scanner_filter.vue already has code to group external IDs by the vendor
and reportType
, so in theory all we need to do is change every place that uses external_id
/externalId
to be id
instead, and everything should work automatically. To test the scanner filter that supports external vendors, thecustomSecurityScanners
feature flag needs to be enabled:
rails c
Feature.enable(:custom_security_scanners)
Does this MR meet the acceptance criteria?
Conformity
-
📋 Does this MR need a changelog?-
I have included a changelog entry. -
I have not included a changelog entry because this is more or less refactor work.
-
- [-] Documentation (if required)
-
Code review guidelines -
Merge request performance guidelines - [-] Style guides
- [-] Database guides
-
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers - [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Related to #229661 (closed)