Merge branch 'bwill/add-cluster-image-scanning-location-to-graphql' into 'master'

Add `ClusterImageScanningType` to `VulnerabilitiesResolver` See merge request gitlab-org/gitlab!75797

Merge branch 'bwill/add-cluster-image-scanning-location-to-graphql' into 'master'
Add `ClusterImageScanningType` to `VulnerabilitiesResolver` See merge request gitlab-org/gitlab!75797
037420e3 · Vitali Tatarintev · cfd65270 · 38d8bf4f · 037420e3 · 037420e3
Commit 037420e3 authored Dec 14, 2021 by Vitali Tatarintev
8 changed files
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -15635,6 +15635,19 @@ Represents a link related to a vulnerability.
 | <a id="vulnerabilitylinkname"></a>`name` | [`String`](#string) | Name of the link. |
 | <a id="vulnerabilitylinkurl"></a>`url` | [`String!`](#string) | URL of the link. |

+### `VulnerabilityLocationClusterImageScanning`
+
+Represents the location of a vulnerability found by a cluster image scan.
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="vulnerabilitylocationclusterimagescanningdependency"></a>`dependency` | [`VulnerableDependency`](#vulnerabledependency) | Dependency containing the vulnerability. |
+| <a id="vulnerabilitylocationclusterimagescanningimage"></a>`image` | [`String`](#string) | Name of the vulnerable container image. |
+| <a id="vulnerabilitylocationclusterimagescanningkubernetesresource"></a>`kubernetesResource` | [`VulnerableKubernetesResource`](#vulnerablekubernetesresource) | Kubernetes resource which uses the vulnerable container image. |
+| <a id="vulnerabilitylocationclusterimagescanningoperatingsystem"></a>`operatingSystem` | [`String`](#string) | Operating system that runs on the vulnerable container image. |
+
 ### `VulnerabilityLocationContainerScanning`

 Represents the location of a vulnerability found by a container security scan.
@@ -15785,6 +15798,21 @@ Represents a vulnerable dependency. Used in vulnerability location data.
 | <a id="vulnerabledependencypackage"></a>`package` | [`VulnerablePackage`](#vulnerablepackage) | Package associated with the vulnerable dependency. |
 | <a id="vulnerabledependencyversion"></a>`version` | [`String`](#string) | Version of the vulnerable dependency. |

+### `VulnerableKubernetesResource`
+
+Represents a vulnerable Kubernetes resource. Used in vulnerability location data.
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="vulnerablekubernetesresourceagent"></a>`agent` | [`ClusterAgent`](#clusteragent) | Kubernetes Agent which performed the scan. |
+| <a id="vulnerablekubernetesresourceclusterid"></a>`clusterId` | [`ClustersClusterID`](#clustersclusterid) | ID of the Cluster integration which was used to perform the scan. |
+| <a id="vulnerablekubernetesresourcecontainername"></a>`containerName` | [`String!`](#string) | Name of the container that had its image scanned. |
+| <a id="vulnerablekubernetesresourcekind"></a>`kind` | [`String!`](#string) | Kind of the Kubernetes resource. |
+| <a id="vulnerablekubernetesresourcename"></a>`name` | [`String!`](#string) | Name of the Kubernetes resource. |
+| <a id="vulnerablekubernetesresourcenamespace"></a>`namespace` | [`String!`](#string) | Kubernetes namespace which the resource resides in. |
+
 ### `VulnerablePackage`

 Represents a vulnerable package. Used in vulnerability dependency data.
@@ -17967,6 +17995,7 @@ Represents a vulnerability location. The fields with data will depend on the vul

 One of:

+- [`VulnerabilityLocationClusterImageScanning`](#vulnerabilitylocationclusterimagescanning)
 - [`VulnerabilityLocationContainerScanning`](#vulnerabilitylocationcontainerscanning)
 - [`VulnerabilityLocationCoverageFuzzing`](#vulnerabilitylocationcoveragefuzzing)
 - [`VulnerabilityLocationDast`](#vulnerabilitylocationdast)
--- a/ee/app/graphql/types/vulnerability_location/cluster_image_scanning_type.rb
+++ b/ee/app/graphql/types/vulnerability_location/cluster_image_scanning_type.rb
+# frozen_string_literal: true
+
+module Types
+  module VulnerabilityLocation
+    # Vulnerability locations have their authorization enforced by VulnerabilityType
+    # rubocop: disable Graphql/AuthorizeTypes
+    class ClusterImageScanningType < ContainerScanningType
+      graphql_name 'VulnerabilityLocationClusterImageScanning'
+      description 'Represents the location of a vulnerability found by a cluster image scan'
+
+      field :kubernetes_resource, ::Types::VulnerableKubernetesResourceType, null: true,
+            description: 'Kubernetes resource which uses the vulnerable container image.'
+    end
+  end
+end
--- a/ee/app/graphql/types/vulnerability_location_type.rb
+++ b/ee/app/graphql/types/vulnerability_location_type.rb
@@ -7,7 +7,8 @@ module Types
    graphql_name 'VulnerabilityLocation'
    description 'Represents a vulnerability location. The fields with data will depend on the vulnerability report type'

-    possible_types VulnerabilityLocation::ContainerScanningType,
+    possible_types VulnerabilityLocation::ClusterImageScanningType,
+                   VulnerabilityLocation::ContainerScanningType,
                   VulnerabilityLocation::DependencyScanningType,
                   VulnerabilityLocation::DastType,
                   VulnerabilityLocation::SastType,
@@ -17,7 +18,9 @@ module Types

    def self.resolve_type(object, context)
      case object[:report_type]
-      when 'container_scanning', 'cluster_image_scanning'
+      when 'cluster_image_scanning'
+        VulnerabilityLocation::ClusterImageScanningType
+      when 'container_scanning'
        VulnerabilityLocation::ContainerScanningType
      when 'dependency_scanning'
        VulnerabilityLocation::DependencyScanningType

--- a/ee/app/graphql/types/vulnerable_kubernetes_resource_type.rb
+++ b/ee/app/graphql/types/vulnerable_kubernetes_resource_type.rb
+# frozen_string_literal: true
+
+module Types
+  # Vulnerability locations have their authorization enforced by VulnerabilityType
+  # rubocop: disable Graphql/AuthorizeTypes
+  class VulnerableKubernetesResourceType < BaseObject
+    graphql_name 'VulnerableKubernetesResource'
+    description 'Represents a vulnerable Kubernetes resource. Used in vulnerability location data'
+
+    field :namespace, GraphQL::Types::String, null: false,
+          description: 'Kubernetes namespace which the resource resides in.'
+
+    field :kind, GraphQL::Types::String, null: false,
+          description: 'Kind of the Kubernetes resource.'
+
+    field :name, GraphQL::Types::String, null: false,
+          description: 'Name of the Kubernetes resource.'
+
+    field :container_name, GraphQL::Types::String, null: false,
+          description: 'Name of the container that had its image scanned.'
+
+    field :agent, ::Types::Clusters::AgentType, null: true,
+          description: 'Kubernetes Agent which performed the scan.'
+
+    field :cluster_id, ::Types::GlobalIDType[::Clusters::Cluster], null: true,
+          description: 'ID of the Cluster integration which was used to perform the scan.'
+
+    def agent
+      ::Gitlab::Graphql::Loaders::BatchModelLoader.new(::Clusters::Agent, object['agent_id']).find
+    end
+  end
+end
--- a/ee/spec/graphql/types/vulnerability_location/cluster_image_scanning_type_spec.rb
+++ b/ee/spec/graphql/types/vulnerability_location/cluster_image_scanning_type_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GitlabSchema.types['VulnerabilityLocationClusterImageScanning'] do
+  it { expect(described_class).to have_graphql_fields(:dependency, :image, :operating_system, :kubernetes_resource) }
+end
--- a/ee/spec/graphql/types/vulnerability_location_type_spec.rb
+++ b/ee/spec/graphql/types/vulnerability_location_type_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GitlabSchema.types['VulnerabilityLocation'] do
+  let(:vulnerability) { create(:vulnerability, report_type: report_type) }
+
+  it 'returns all possible types' do
+    expect(described_class.possible_types).to include(
+      Types::VulnerabilityLocation::ClusterImageScanningType,
+      Types::VulnerabilityLocation::ContainerScanningType,
+      Types::VulnerabilityLocation::DependencyScanningType,
+      Types::VulnerabilityLocation::DastType,
+      Types::VulnerabilityLocation::SastType,
+      Types::VulnerabilityLocation::SecretDetectionType,
+      Types::VulnerabilityLocation::CoverageFuzzingType,
+      Types::VulnerabilityLocation::GenericType
+    )
+  end
+
+  describe '#resolve_type' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:report_type, :expected_type) do
+      :cluster_image_scanning | Types::VulnerabilityLocation::ClusterImageScanningType
+      :container_scanning     | Types::VulnerabilityLocation::ContainerScanningType
+      :dependency_scanning    | Types::VulnerabilityLocation::DependencyScanningType
+      :dast                   | Types::VulnerabilityLocation::DastType
+      :api_fuzzing            | Types::VulnerabilityLocation::DastType
+      :sast                   | Types::VulnerabilityLocation::SastType
+      :secret_detection       | Types::VulnerabilityLocation::SecretDetectionType
+      :coverage_fuzzing       | Types::VulnerabilityLocation::CoverageFuzzingType
+      :generic                | Types::VulnerabilityLocation::GenericType
+    end
+
+    subject do
+      described_class.resolve_type(vulnerability, {})
+    end
+
+    with_them do
+      specify { expect(subject).to eq(expected_type) }
+    end
+
+    context 'when report_type is unknown' do
+      # We have to mock this one since :report_type is an enum on the Vulnerability model.
+      # Trying to create a vulnerability an invalid report_type causes an ArgumentError.
+      let(:vulnerability) { { report_type: :unknown_type } }
+
+      it 'raises an error' do
+        expect { subject }.to raise_error(Types::VulnerabilityLocationType::UnexpectedReportType)
+      end
+    end
+  end
+end
--- a/ee/spec/graphql/types/vulnerable_kubernetes_resource_type_spec.rb
+++ b/ee/spec/graphql/types/vulnerable_kubernetes_resource_type_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GitlabSchema.types['VulnerableKubernetesResource'] do
+  it { expect(described_class).to have_graphql_fields(:namespace, :kind, :name, :container_name, :agent, :cluster_id) }
+end
--- a/ee/spec/requests/api/graphql/vulnerabilities/location_spec.rb
+++ b/ee/spec/requests/api/graphql/vulnerabilities/location_spec.rb
@@ -9,11 +9,33 @@ RSpec.describe 'Query.vulnerabilities.location' do

  let_it_be(:project) { create(:project) }
  let_it_be(:user) { create(:user, security_dashboard_projects: [project]) }
+  let_it_be(:agent) { create(:cluster_agent, project: project) }

  let_it_be(:fields) do
    <<~QUERY
      location {
        __typename
+        ... on VulnerabilityLocationClusterImageScanning {
+          image
+          operatingSystem
+          dependency {
+            version
+            package {
+              name
+            }
+          }
+          kubernetesResource {
+            namespace
+            kind
+            name
+            containerName
+            clusterId
+            agent {
+              id
+              name
+            }
+          }
+        }
        ... on VulnerabilityLocationContainerScanning {
          image
          operatingSystem
@@ -154,6 +176,14 @@ RSpec.describe 'Query.vulnerabilities.location' do
            package: {
              name: 'vulnerable_container'
            }
+          },
+          kubernetes_resource: {
+            namespace: "production",
+            kind: "Deployment",
+            name: "nginx-deployment",
+            container_name: "nginx",
+            cluster_id: "1",
+            agent_id: agent.id
          }
        }
      }
@@ -167,14 +197,46 @@ RSpec.describe 'Query.vulnerabilities.location' do
      )
    end

-    it 'returns a container location' do
+    it 'returns a cluster image scanning location' do
      location = subject.first['location']

-      expect(location['__typename']).to eq('VulnerabilityLocationContainerScanning')
+      expect(location['__typename']).to eq('VulnerabilityLocationClusterImageScanning')
      expect(location['image']).to eq('vulnerable_image')
      expect(location['operatingSystem']).to eq('vulnerable_os')
      expect(location['dependency']['version']).to eq('6.6.6')
      expect(location['dependency']['package']['name']).to eq('vulnerable_container')
+      expect(location['kubernetesResource']['namespace']).to eq('production')
+      expect(location['kubernetesResource']['kind']).to eq('Deployment')
+      expect(location['kubernetesResource']['name']).to eq('nginx-deployment')
+      expect(location['kubernetesResource']['containerName']).to eq('nginx')
+      expect(location['kubernetesResource']['clusterId']).to eq('gid://gitlab/Clusters::Cluster/1')
+    end
+
+    context 'when user is not authorized to administrate clusters' do
+      before do
+        project.add_developer(user)
+        post_graphql(query, current_user: user)
+      end
+
+      it 'does not return agent data' do
+        location = subject.first['location']
+
+        expect(location['kubernetesResource']['agent']).to be_nil
+      end
+    end
+
+    context 'when user is authorized to administrate clusters' do
+      before do
+        project.add_maintainer(user)
+        post_graphql(query, current_user: user)
+      end
+
+      it 'returns agent data' do
+        location = subject.first['location']
+
+        expect(location['kubernetesResource']['agent']['id']).to eq("gid://gitlab/Clusters::Agent/#{agent.id}")
+        expect(location['kubernetesResource']['agent']['name']).to eq(agent.name)
+      end
    end
  end