Remove scannerType argument from Mutations::Vulnerabilities::Create
What does this MR do?
When verifying work done on Directly create vulnerability records via API it came to our attention that the mutation accepts an superfluous argument – scannerType
Screenshot
How to setup and validate locally (strongly suggested)
- Enable the invite modal
Feature.enable(:create_vulnerabilities_via_api)
- Go to GraphQL Explorer
http://127.0.0.1:3000/-/graphql-explorer
- Try supplying
scannerType
as an argument to the mutation
mutation vulnerabilityCreate($input: VulnerabilityCreateInput!) {
vulnerabilityCreate(input: $input) {
errors
clientMutationId
vulnerability: vulnerability {
id
vulnerabilityPath
project {
id
fullPath
}
}
}
}
{
"input": {
"project": "gid://gitlab/Project/6102100",
"title": "A manual vulnerability number 2",
"description": "A descriptive description",
"scannerType": "SAST",
"scannerName": "Thiago",
"state": "CONFIRMED",
"identifiers": [
{
"name": "CVE-3",
"url": "http://localhost"
}
]
}
}
It should complain about VulnerabilityCreateInput
not having a scannerType
field.
Does this MR meet the acceptance criteria?
Conformity
-
I have included changelog trailers, or none are needed. (Does this MR need a changelog?) -
I have added/updated documentation, or it's not needed. (Is documentation required?) -
I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?) -
I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?) -
I have self-reviewed this MR per code review guidelines. -
This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines) -
I have followed the style guides. -
This change is backwards compatible across updates, or this does not apply.
Availability and Testing
-
I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.) -
I have tested this MR in all supported browsers, or it's not needed. -
I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.