Add `Mutations::SecurityFinding::CreateIssue` GraphQL mutation
What does this MR do and why?
Related issue: Create `Mutations::SecurityFinding::CreateIssue` (#361948 - closed)
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
Scenario 1: There is no report_finding
for the security_finding
.
- Start the rails console and enable the feature_flag
rails c
Feature.enable(:deprecate_vulnerabilities_feedback)
- Create a new
Security::Finding
security_finding = Security::Finding.last.dup
security_finding.uuid = SecureRandom.uuid
security_finding.save
- Check the
Vulnerability
count.
Vulnerability.count
(10.4ms) SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):1:in `__pry__'*/
=> 154
- Check the
Issue
count.
Issue.count
(13.4ms) SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):2:in `__pry__'*/
=> 498
- Check the
Vulnerabilities::IssueLink
count. It should have increased by 1
Vulnerabilities::IssueLink.count
(0.6ms) SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):34:in `__pry__'*/
=> 52
- go to /-/graphql-explorer
mutation securityFindingCreateIssue($input: SecurityFindingCreateIssueInput!) {
securityFindingCreateIssue(input: $input) {
issue{
title
}
errors
}
}
{
"input": {
"project": "gid://gitlab/Project/24",
"uuid": "6732cb09-0524-4747-8f0b-d485a65db02f"
}
}
You should get a response like
{
"data": {
"securityFindingCreateIssue": {
"issue": null,
"errors": [
"Report Finding not found"
]
}
}
}
- Check the
Vulnerability
count. It should not have increased.
Vulnerability.count
(0.5ms) SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):4:in `__pry__'*/
=> 154
- Check the
Issue
count. It should not have increased.
Issue.count
(0.5ms) SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):5:in `__pry__'*/
=> 498
- Check the
Vulnerabilities::IssueLink
count. It should have increased by 1
Vulnerabilities::IssueLink.count
(0.6ms) SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):34:in `__pry__'*/
=> 52
Add vulnerability_findings
Follow the steps described here
Scenario 2: There is a vulnerability_finding
and a vulnerability
for the security_finding
.
# Find the scan related to the pipeline which created the security_findings
scan = Security::Scan.where(pipeline_id: 750, scan_type: 'sast').last
Vulnerabilities::Finding.where.not(vulnerability_id: nil).where(uuid: [Security::Finding.where(scan_id: scan.id).map(&:uuid)]).first.uuid
- Check the
Vulnerability
count.
Vulnerability.count
(2.4ms) SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):27:in `__pry__'*/
=> 298
- Check the
Issue
count.
Issue.count
(13.4ms) SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):2:in `__pry__'*/
=> 498
- Check the
Vulnerabilities::IssueLink
count.
Vulnerabilities::IssueLink.count
(0.6ms) SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):34:in `__pry__'*/
=> 52
- go to /-/graphql-explorer and add the query:
mutation securityFindingCreateIssue($input: SecurityFindingCreateIssueInput!) {
securityFindingCreateIssue(input: $input) {
issue{
title
}
errors
}
}
- Fill the input with the project gid and the UUID of the
security_finding
we created
{
"input": {
"project": "gid://gitlab/Project/24",
"uuid": "f60b9049-6cc1-585c-ad65-6a36597071da"
}
}
- Check the response
{
"data": {
"securityFindingCreateIssue": {
"issue": {
"title": "Investigate vulnerability: Hardcoded constant database password",
"type": "ISSUE",
"severity": "UNKNOWN",
"state": "opened"
},
"errors": []
}
}
}
- Check the
Vulnerability
count. It shouldn't have increased
Vulnerability.count
[31] pry(main)> Vulnerability.count
(0.5ms) SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):31:in `__pry__'*/
=> 298
- Check the
Issue
count. It should have increased by 1
Issue.count
[32] pry(main)> Issue.count
(0.7ms) SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):32:in `__pry__'*/
=> 499
- Check the
Vulnerabilities::IssueLink
count. It should have increased by 1
[34] pry(main)> Vulnerabilities::IssueLink.count
(0.6ms) SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):34:in `__pry__'*/
=> 53
Scenario 3: There is an issue_link
for the security_finding
.
- Check the
Vulnerability
count.
Vulnerability.count
(2.4ms) SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):27:in `__pry__'*/
=> 298
- Check the
Issue
count.
Issue.count
(13.4ms) SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):2:in `__pry__'*/
=> 498
- Check the
Vulnerabilities::IssueLink
count.
Vulnerabilities::IssueLink.count
(0.6ms) SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):34:in `__pry__'*/
=> 52
- go to /-/graphql-explorer and add the query:
mutation securityFindingCreateIssue($input: SecurityFindingCreateIssueInput!) {
securityFindingCreateIssue(input: $input) {
issue{
title
}
errors
}
}
- Fill the input with the project gid and the same UUID of the
security_finding
we created for the scenario 2
{
"input": {
"project": "gid://gitlab/Project/24",
"uuid": "f60b9049-6cc1-585c-ad65-6a36597071da"
}
}
- Check the response
{
"data": {
"securityFindingCreateIssue": {
"issue": null,
"errors": [
"Vulnerability already has a \"created\" issue link"
]
}
}
}
- Check the
Vulnerability
count. It shouldn't have increased
Vulnerability.count
[31] pry(main)> Vulnerability.count
(0.5ms) SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):31:in `__pry__'*/
=> 298
- Check the
Issue
count. It shouldn't have increased
Issue.count
[32] pry(main)> Issue.count
(0.7ms) SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):32:in `__pry__'*/
=> 499
- Check the
Vulnerabilities::IssueLink
count. It shouldn't have increased
[34] pry(main)> Vulnerabilities::IssueLink.count
(0.6ms) SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):34:in `__pry__'*/
=> 53
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Marcos Rocha