Skip to content

Add origin enum to Vulnerabilities

Michał Zając requested to merge 341263-add-created_via_api-flag-to-vulnerabilities into master

What does this MR do and why?

This MR adds origin enum to Vulnerability to allow us to distinguish between Vulnerabilities created by GitLab CI security scanning feature and Vulnerabilities created via our GraphQL mutation.

Related to #341263 (closed)

How to set up and validate locally

  1. Checkout this branch
  2. bundle exec rails db:migrate
  3. bundle exec rails runner 'Feature.enable(:create_vulnerabilities_via_api)'
  4. Go to http://localhost:3000/-/graphql-explorer
  5. Invoke the following mutation:
mutation vulnerabilityCreate($input: VulnerabilityCreateInput!) {
  vulnerabilityCreate(input: $input) {
    errors
    clientMutationId
    vulnerability: vulnerability {
      id
      vulnerabilityPath
      project {
        id
        fullPath
      }
    }
  }
}

with the following inputs

{
  "input": {
    "project": "gid://gitlab/Project/20",
    "title": "A manual vulnerability number 2",
    "description": "A descriptive description",
    "scannerName": "Test",
    "state": "CONFIRMED",
    "identifiers": [
      {
      	"name": "CVE-3",
      	"url": "http://localhost"
    	}
    ]
  }
}
  1. Verify there are no errors
  2. Execute the following query
{
  vulnerability(id: "gid://gitlab/Vulnerability/121") {
    id
    origin
  }
}
  1. Verify the result is
{
  "data": {
    "vulnerability": {
      "id": "gid://gitlab/Vulnerability/121",
      "origin": "API"
    }
  }
}
  1. bundle exec rails runner 'Feature.disable(:create_vulnerabilities_via_api)'
  2. bundle exec rails db:rollback

Database review

gitlab on  341263-add-created_via_api-flag-to-vulnerabilities [!?] via ⬢ v14.15.4 via 💎 ruby ➜ bundle exec rails db:migrate                                           
== 20210920140342 AddOriginToVulnerabilities: migrating =======================
-- add_column(:vulnerabilities, :origin, :integer, {:default=>1})
   -> 0.0011s
== 20210920140342 AddOriginToVulnerabilities: migrated (0.0012s) ==============


gitlab on  341263-add-created_via_api-flag-to-vulnerabilities [!?] via ⬢ v14.15.4 via 💎 ruby ➜ bundle exec rails db:rollback
== 20210920140342 AddOriginToVulnerabilities: reverting =======================
-- remove_column(:vulnerabilities, :origin, :integer, {:default=>1})
   -> 0.0009s
== 20210920140342 AddOriginToVulnerabilities: reverted (0.0018s) ==============

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Michał Zając

Merge request reports