Skip to content

Draft: investigate missing fields **DO NOT MERGE THIS**

Savas Vedova requested to merge spike-find-missing-fields into master

What does this MR do and why?

This MR is simply a SPIKE. We're investigating the missing fields in GraphQL in order to request them from the backend.

Mock GrahpQL Server

https://gitlab.com/dpisek/vulnerability-graphql-mock

Result of spike

  • backend Add the following fields:
# Enums
enum VulnerabilitySupportingMessageName {
  RECORDED
}
# Types
type VulnerabilityRequestResponseHeader {
  name: String
  value: String
}

type VulnerabilityRequest {
  body: String
  method: String
  url: String
  headers: [VulnerabilityRequestResponseHeader!]
}

type VulnerabilityResponse {
  body: String
  statusCode: String
  reasonPhrase: String
  headers: [VulnerabilityRequestResponseHeader!]
}

type VulnerabilitySupportingMessage {
  name: VulnerabilitySupportingMessageName
  response: VulnerabilityResponse
}

type VulnerabilityEvidenceSource {
  name: String
}

type VulnerabilityAsset {
  name: String
  url: String
}

type VulnerabilityRemediation {
  diff: [String!]
}

## Extensions

# Check /ee/lib/ee/gitlab/ci/parsers/security/validators/schemas/coverage_fuzzing.json
# for more details
extend type VulnerabilityLocationCoverageFuzzing {
  crashType: String
  crashAddress: String
  stacktraceSnippet: String
}

extend type VulnerabilityScanner {
  url: String
  version: String
}

extend type Vulnerability {
  createdAt: Time
  pipeline: Pipeline
  request: VulnerabilityRequest
  response: VulnerabilityResponse
  supportingMessages: [VulnerabilitySupportingMessage!]
  evidenceSource: VulnerabilityEvidenceSource
  assets: [VulnerabilityAsset!]
  solution: String
  remediations: [VulnerabilityRemediation!]
  canModifyRelatedIssues: Boolean!
  relatedIssuesHelpPath: String
}
  • frontend Migrate ee/app/assets/javascripts/vue_shared/security_reports/components/merge_request_note.vue and ee/vue_shared/security_reports/components/event_item.vue to use camelCase fields.
  • frontend Find vulnerability.hasMr occurrences. We won't have this field anymore, instead use the mergeRequest field to deduct this information.
  • frontend Find mergeRequestFeedback occurrences and rename them with mergeRequest
Edited by Savas Vedova

Merge request reports