Add vulnerability state as part of the granular (!72405) · Merge requests · GitLab.org / GitLab

Zamir Martins requested to merge add_vulnerability_states_into_security_rules into master Oct 15, 2021

What does this MR do and why?

Add vulnerability state as part of the granular settings for Vulnerability-Check approval project rules.

UI: involves an addition of a dropbox (vulnerability_states) with the option Newly added(to represent findings not present in target branch) and the existing vulnerability states.

API: The UI send the request to an API endpoint which has been changed to support and persist the new field vulnerability_states for both create and update.

Sync job: The sync job which evaluates approval rules which are not satisfied anymore have been changed to take in consideration the vulnerability state instead of only considering newly added findings.

Related issue: #335336 (closed)

Database

$ bundle exec rails db:migrate:down VERSION=20211013192749

== 20211013192749 AddStatesIntoApprovalProjectRules: reverting ================
-- remove_column(:approval_project_rules, :vulnerability_states_int)
   -> 0.0027s
== 20211013192749 AddStatesIntoApprovalProjectRules: reverted (0.0028s) =======

$ bundle exec rails db:migrate:up VERSION=20211013192749

== 20211013192749 AddStatesIntoApprovalProjectRules: migrating ================
-- add_column(:approval_project_rules, :vulnerability_states_int, :integer, {:array=>true, :null=>false, :default=>[0]})
   -> 0.0049s
== 20211013192749 AddStatesIntoApprovalProjectRules: migrated (0.0049s) =======

Query

Execution plan through database-lab:

explain SELECT COUNT(DISTINCT "vulnerabilities"."id") FROM "vulnerabilities" LEFT OUTER JOIN  "vulnerability_occurrences" "findings" ON "findings"."vulnerability_id" = "vulnerabilities"."id" WHERE "vulnerabilities"."project_id" = 26074395 AND "findings"."uuid" IN ('184244fe-5321-51af-955c-a1933f015e9b', 'a9585c87-57af-5ec8-b370-5c42f8994d3b', '418164fd-17e6-5349-9b48-a58803f1e21f', '96daee91-
[...SKIP...]

Session: 6996. Plan with execution:

 Aggregate  (cost=71.70..71.71 rows=1 width=8) (actual time=23.156..23.158 rows=1 loops=1). 
   Buffers: shared hit=22 read=29. 
   I/O Timings: read=22.815 write=0.000. 
   ->  Nested Loop  (cost=1.12..71.69 rows=1 width=8) (actual time=23.051..23.052 rows=0 loops=1). 
         Buffers: shared hit=14 read=29. 
         I/O Timings: read=22.815 write=0.000. 
         ->  Index Scan using index_v. 
[...SKIP...].

Full execution plan (The text in the preview above has been cut).
Other artifacts are provided in the thread.
Recommendations:
✅ Looks good.
Summary:

Time: 26.131 ms
  - planning: 2.904 ms
  - execution: 23.227 ms
    - I/O read: 22.815 ms
    - I/O write: 0.000 ms

Shared buffers:
  - hits: 22 (~176.00 KiB) from the buffer pool
  - reads: 29 (~232.00 KiB) from the OS file cache, including disk I/O
  - dirtied: 0
  - writes: 0

Details and visualization: https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/6996/commands/24789.

Screenshots or screen recordings

New dropbox

Dropbox items

Error message

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Oct 26, 2021 by Zamir Martins

Add vulnerability state as part of the granular