Skip to content

Add `ClusterImageScanningType` to `VulnerabilitiesResolver`

Brian Williams requested to merge bwill/add-cluster-image-scanning-location-to-graphql into master

What does this MR do and why?

Describe in detail what your merge request does and why.

This merge request adds a new ClusterImageScanningType to the VulnerabilitiesResolver GraphQL query. This allows the GraphQL query to begin returning location data for Cluster Image Scanning Vulnerabilities.

Issue: #347081 (closed)

This supports the displaying of Operational Vulnerabilities in the GitLab UI, being implemented as part of &6345 (closed).

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

Screen_Shot_2021-12-08_at_3.05.01_PM

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Make your GDK has an EE license

  2. Setup GitLab Runner in Docker mode and make sure a runner is registered to your group.

  3. Commit a .gitlab-ci.yml file to your project with the following content:

    cluster_image_scanning:
  image: alpine:latest
  script:
    - apk add --update curl
    - curl -O https://gitlab.com/-/snippets/2218294/raw/main/gl-cluster-image-scanning-report.json
  artifacts:
    reports:
      cluster_image_scanning: gl-cluster-image-scanning-report.json
    paths: [gl-cluster-image-scanning-report.json]

  4. Go to http://localhost:3000/-/graphql-explorer

  5. Paste the following query:

    query vulnerabilities($fullPath: ID!) {
  project(fullPath: $fullPath) {
    vulnerabilities {
      nodes {
        id
        title
        description
        location {
          __typename
          ... on VulnerabilityLocationClusterImageScanning {
            image
            operatingSystem
            dependency {
              version
              package {
              name
              }
            }
            kubernetesResource {
              namespace
              kind
              name
              containerName
              agent {
                id
                name
                webPath
              }
            }
          }
        }
      }
    }
  }
}

  6. In the query variables set:

    {
  "fullPath": "path/to/your/project"
}

  7. Run the query

  8. Query returns Cluster Image Scanning location data

    {
  "data": {
    "project": {
      "vulnerabilities": {
        "nodes": [
          {
            "id": "gid://gitlab/Vulnerability/689",
            "title": "CVE-2020-36331 in libwebp6",
            "description": "libwebp: out-of-bounds read in ChunkAssignData() in mux/muxinternal.c",
            "location": {
              "__typename": "VulnerabilityLocationClusterImageScanning",
              "image": "index.docker.io/library/nginx:1.14.2",
              "operatingSystem": null,
              "dependency": {
                "version": "0.5.2-1",
                "package": {
                  "name": "libwebp6"
                }
              },
              "kubernetesResource": {
                "namespace": "default",
                "kind": "ReplicaSet",
                "name": "nginx-deployment-66b6c48dd5",
                "containerName": "nginx",
                "agent": {
                  "id": "gid://gitlab/Clusters::Agent/1",
                  "name": "test-agent",
                  "webPath": "/root/starboard-vuln/-/cluster_agents/test-agent"
                }
              }
            }
          }
        ]
      }
    }
  }
}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brian Williams

Merge request reports