Extend GraphQL Ci::PipelineType to include Security Report Findings

- Create new PipelineSecurityReportFindingType - Create new GraphQL Resolver - Add ability to filter by scanner - Add ability to filter by severity - Add ability to filter by reportType - Add changelog entry

Extend GraphQL Ci::PipelineType to include Security Report Findings
- Create new PipelineSecurityReportFindingType - Create new GraphQL Resolver - Add ability to filter by scanner - Add ability to filter by severity - Add ability to filter by reportType - Add changelog entry
06adcc42 · Subashis · 011d836d · 06adcc42 · 06adcc42 · 06adcc42
Commit 06adcc42 authored Feb 12, 2021 by Subashis
9 changed files
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -2964,6 +2964,7 @@ Information about pagination in a connection.
 | `path` | String | Relative path to the pipeline's page. |
 | `project` | Project | Project the pipeline belongs to. |
 | `retryable` | Boolean! | Specifies if a pipeline can be retried. |
+| `securityReportFindings` | PipelineSecurityReportFindingConnection | Vulnerability findings reported on the pipeline |
 | `securityReportSummary` | SecurityReportSummary | Vulnerability and scanned resource counts for each security scanner of the pipeline. |
 | `sha` | String! | SHA of the pipeline's commit. |
 | `sourceJob` | CiJob | Job where pipeline was triggered from. |
@@ -3028,6 +3029,25 @@ Autogenerated return type of PipelineRetry.
 | `errors` | String! => Array | Errors encountered during execution of the mutation. |
 | `pipeline` | Pipeline | The pipeline after mutation. |

+### PipelineSecurityReportFinding
+
+Represents vulnerability finding of a security report on the pipeline.
+
+| Field | Type | Description |
+| ----- | ---- | ----------- |
+| `confidence` | String | Type of the security report that found the vulnerability  |
+| `description` | String | Description of the vulnerability finding |
+| `identifiers` | VulnerabilityIdentifier! => Array | Identifiers of the vulnerabilit finding. |
+| `location` | VulnerabilityLocation | Location metadata for the vulnerability. Its fields depend on the type of security scan that found the vulnerability |
+| `name` | String | Name of the vulnerability finding |
+| `project` | Project | The project on which the vulnerability finding was found |
+| `projectFingerprint` | String | Name of the vulnerability finding |
+| `reportType` | VulnerabilityReportType | Type of the security report that found the vulnerability finding |
+| `scanner` | VulnerabilityScanner | Scanner metadata for the vulnerability. |
+| `severity` | VulnerabilitySeverity | Severity of the vulnerability finding |
+| `solution` | String | URL to the vulnerability's details page |
+| `uuid` | String | Name of the vulnerability finding |
+
 ### Project

 | Field | Type | Description |

--- a/ee/app/graphql/ee/types/ci/pipeline_type.rb
+++ b/ee/app/graphql/ee/types/ci/pipeline_type.rb
@@ -13,6 +13,12 @@ module EE
            extras: [:lookahead],
            description: 'Vulnerability and scanned resource counts for each security scanner of the pipeline.',
            resolver: ::Resolvers::SecurityReportSummaryResolver
+
+          field :security_report_findings,
+            ::Types::PipelineSecurityReportFindingType.connection_type,
+            null: true,
+            description: 'Vulnerability findings reported on the pipeline',
+            resolver: ::Resolvers::PipelineSecurityReportFindingsResolver
        end
      end
    end

--- a/ee/app/graphql/resolvers/pipeline_security_report_findings_resolver.rb
+++ b/ee/app/graphql/resolvers/pipeline_security_report_findings_resolver.rb
+# frozen_string_literal: true
+
+module Resolvers
+  class PipelineSecurityReportFindingsResolver < BaseResolver
+    type ::Types::PipelineSecurityReportFindingType, null: true
+
+    alias_method :pipeline, :object
+
+    argument :report_type, [GraphQL::STRING_TYPE], 
+             required: false,
+             description: 'Filter vulnerability findings by report type.'
+
+    argument :severity, [GraphQL::STRING_TYPE],
+             required: false,
+             description: 'Filter vulnerability findings by severity.'
+
+    argument :scanner, [GraphQL::STRING_TYPE], 
+             required: false,
+             description: 'Filter vulnerability findings by Scanner.externalId.'
+
+    def resolve(**args)
+      Security::PipelineVulnerabilitiesFinder.new(pipeline: pipeline, params: args).execute.findings
+    end
+  end
+end
+
+ 
+  
\ No newline at end of file
--- a/ee/app/graphql/types/pipeline_security_report_finding_type.rb
+++ b/ee/app/graphql/types/pipeline_security_report_finding_type.rb
+# frozen_string_literal: true
+
+module Types
+  # rubocop: disable Graphql/AuthorizeTypes
+  class PipelineSecurityReportFindingType < BaseObject
+    graphql_name 'PipelineSecurityReportFinding'
+
+    description 'Represents vulnerability finding of a security report on the pipeline'
+
+    field :report_type, VulnerabilityReportTypeEnum, null: true,
+          description: "Type of the security report that found the vulnerability finding"  
+
+    field :name, GraphQL::STRING_TYPE, null: true,
+          description: 'Name of the vulnerability finding'
+
+    field :severity, VulnerabilitySeverityEnum, null: true,
+          description: "Severity of the vulnerability finding" 
+
+    field :confidence, GraphQL::STRING_TYPE, null: true,
+          description: "Type of the security report that found the vulnerability "      
+
+    field :scanner, VulnerabilityScannerType, null: true,
+          description: 'Scanner metadata for the vulnerability.'
+
+    field :identifiers, [VulnerabilityIdentifierType], null: false,
+          description: 'Identifiers of the vulnerabilit finding.'
+
+    field :project_fingerprint, GraphQL::STRING_TYPE, null: true,
+          description: 'Name of the vulnerability finding'
+    
+    field :uuid, GraphQL::STRING_TYPE, null: true,
+          description: 'Name of the vulnerability finding'
+
+    field :project, ::Types::ProjectType, null: true,
+          description: 'The project on which the vulnerability finding was found',
+          authorize: :read_project          
+
+    field :description, GraphQL::STRING_TYPE, null: true,
+          description: 'Description of the vulnerability finding'
+  
+    field :location, VulnerabilityLocationType, null: true,
+          description: 'Location metadata for the vulnerability. Its fields depend on the type of security scan that found the vulnerability'
+
+    field :solution, GraphQL::STRING_TYPE, null: true,
+          description: "URL to the vulnerability's details page"
+
+    def location
+      object.location&.merge(report_type: object.report_type)
+    end
+  end
+end
--- a/ee/changelogs/unreleased/298760-security-report-findings.yml
+++ b/ee/changelogs/unreleased/298760-security-report-findings.yml
+---
+title: Extend GraphQL Ci::PipelineType to include Security Report Findings
+merge_request: 54104
+author:
+type: added
--- a/ee/spec/graphql/resolvers/pipeline_security_report_findings_resolver_spec.rb
+++ b/ee/spec/graphql/resolvers/pipeline_security_report_findings_resolver_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Resolvers::PipelineSecurityReportFindingsResolver do
+  include GraphqlHelpers
+
+  let_it_be(:project) { create(:project, :repository) }
+  let_it_be(:pipeline, reload: true) { create(:ci_pipeline, :success, project: project) }
+
+  describe '#resolve' do
+    subject { resolve(described_class, obj: pipeline, args: params) }
+
+    let_it_be(:low_vulnerability_finding) { build(:vulnerabilities_finding, severity: :low, report_type: :dast, project: project) }
+    let_it_be(:critical_vulnerability_finding) { build(:vulnerabilities_finding, severity: :critical, report_type: :sast, project: project) }
+    let_it_be(:high_vulnerability_finding) { build(:vulnerabilities_finding, severity: :high, report_type: :container_scanning, project: project) }
+ 
+    let(:params) { {} }
+
+    before do 
+      allow_any_instance_of(Security::PipelineVulnerabilitiesFinder).to receive_message_chain(:execute, :findings).and_return(returned_findings)
+    end
+
+    context 'when given severities' do
+      let(:params) { { severity: ['low'] } }
+      let(:returned_findings) { [low_vulnerability_finding] }
+
+      it 'returns vulnerability findings of the given severities' do
+        is_expected.to contain_exactly(low_vulnerability_finding)
+      end
+    end
+
+    context 'when given scanner' do
+      let(:params) { { scanner: [high_vulnerability_finding.scanner.external_id] } }
+      let(:returned_findings) { [high_vulnerability_finding] }
+
+      it 'returns vulnerability findings of the given scanner' do
+        is_expected.to contain_exactly(high_vulnerability_finding)
+      end
+    end
+
+    context 'when given report types' do
+      let(:params) { { report_type: %i[dast sast] } }
+      let(:returned_findings) { [critical_vulnerability_finding, low_vulnerability_finding] }
+
+      it 'returns vulnerabilities of the given report types' do
+        is_expected.to contain_exactly(critical_vulnerability_finding, low_vulnerability_finding)
+      end
+    end
+  end
+end
\ No newline at end of file
--- a/ee/spec/graphql/types/ci/pipeline_type_spec.rb
+++ b/ee/spec/graphql/types/ci/pipeline_type_spec.rb
@@ -8,6 +8,7 @@ RSpec.describe GitlabSchema.types['Pipeline'] do
  it 'includes the ee specific fields' do
    expected_fields = %w[
        security_report_summary
+        security_report_findings
    ]

    expect(described_class).to include_graphql_fields(*expected_fields)

--- a/ee/spec/graphql/types/pipeline_security_report_finding_type_spec.rb
+++ b/ee/spec/graphql/types/pipeline_security_report_finding_type_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GitlabSchema.types['PipelineSecurityReportFinding'] do
+  let_it_be(:fields) do
+    %i[report_type
+       name
+       severity
+       confidence
+       scanner
+       identifiers
+       project_fingerprint
+       uuid
+       project
+       description
+       location
+       solution
+    ]
+  end
+
+  specify { expect(described_class.graphql_name).to eq('PipelineSecurityReportFinding') }
+
+  it { expect(described_class).to have_graphql_fields(fields) }
+end
--- a/ee/spec/requests/api/graphql/project/pipeline/security_report_finding_spec.rb
+++ b/ee/spec/requests/api/graphql/project/pipeline/security_report_finding_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Query.project(fullPath).pipeline(iid).securityReportFinding' do
+  let_it_be(:project) { create(:project, :repository) }
+  let_it_be(:pipeline) { create(:ci_pipeline, :success, project: project) }
+  let_it_be(:user) { create(:user) }
+
+  before_all do
+    create(:ci_build, :success, name: 'dast_job', pipeline: pipeline, project: project) do |job|
+      create(:ee_ci_job_artifact, :dast_large_scanned_resources_field, job: job, project: project)
+    end
+    create(:ci_build, :success, name: 'sast_job', pipeline: pipeline, project: project) do |job|
+      create(:ee_ci_job_artifact, :sast, job: job, project: project)
+    end
+  end
+
+  let_it_be(:query) do
+    %(
+      query {
+        project(fullPath: "#{project.full_path}") {
+          pipeline(iid: "#{pipeline.iid}") {
+            securityReportFindings(reportType: ["sast", "dast"]) {
+              nodes {
+                confidence
+                severity
+                reportType
+                name
+                scanner {
+                  name
+                }
+                projectFingerprint
+                identifiers {
+                  name
+                }
+                uuid
+                solution
+                description
+                project {
+                  fullPath
+                  visibility
+                }
+              }
+            }    
+          }
+        }
+      }
+    )
+  end
+
+  before do
+    stub_licensed_features(sast: true, dast: true)
+    project.add_developer(user)
+  end
+
+  subject { GitlabSchema.execute(query, context: { current_user: user }).as_json }
+
+  let(:security_report_findings) { subject.dig('data', 'project', 'pipeline', 'securityReportFindings', 'nodes') }
+
+  it 'returns all the vulnerability findings' do
+    expect(security_report_findings.length).to eq(53)
+  end
+
+  it 'returns all the queried fields' do
+    security_report_finding = security_report_findings.first 
+
+    expect(security_report_finding.dig('project', 'fullPath')).to eq(project.full_path)
+    expect(security_report_finding.dig('project', 'visibility')).to eq(project.visibility)
+    expect(security_report_finding['identifiers'].length).to eq(3)
+    expect(security_report_finding['confidence']).not_to be_nil
+    expect(security_report_finding['severity']).not_to be_nil
+    expect(security_report_finding['reportType']).not_to be_nil
+    expect(security_report_finding['name']).not_to be_nil
+    expect(security_report_finding['projectFingerprint']).not_to be_nil
+    expect(security_report_finding['uuid']).not_to be_nil
+    expect(security_report_finding['solution']).not_to be_nil
+    expect(security_report_finding['description']).not_to be_nil
+  end
+end
\ No newline at end of file