Merge branch 'graphql_for_false_positive' into 'master'

Add false-positive info of Vulnerability in GraphQL query See merge request gitlab-org/gitlab!66960

Merge branch 'graphql_for_false_positive' into 'master'
Add false-positive info of Vulnerability in GraphQL query See merge request gitlab-org/gitlab!66960
10f52d3a · James Fargher · 432f80e4 · dfaaceac · 10f52d3a · 10f52d3a
Commit 10f52d3a authored Aug 09, 2021 by James Fargher
3 changed files
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -13885,6 +13885,7 @@ Represents a vulnerability.
 | <a id="vulnerabilitydismissedat"></a>`dismissedAt` | [`Time`](#time) | Timestamp of when the vulnerability state was changed to dismissed. |
 | <a id="vulnerabilitydismissedby"></a>`dismissedBy` | [`UserCore`](#usercore) | The user that dismissed the vulnerability. |
 | <a id="vulnerabilityexternalissuelinks"></a>`externalIssueLinks` | [`VulnerabilityExternalIssueLinkConnection!`](#vulnerabilityexternalissuelinkconnection) | List of external issue links related to the vulnerability. (see [Connections](#connections)) |
+| <a id="vulnerabilityfalsepositive"></a>`falsePositive` | [`Boolean`](#boolean) | Indicates whether the vulnerability is a false positive. Available only when feature flag `vulnerability_flags` is enabled. This flag is disabled by default, because the feature is experimental and is subject to change without notice. |
 | <a id="vulnerabilityhassolutions"></a>`hasSolutions` | [`Boolean`](#boolean) | Indicates whether there is a solution available for this vulnerability. |
 | <a id="vulnerabilityid"></a>`id` | [`ID!`](#id) | GraphQL ID of the vulnerability. |
 | <a id="vulnerabilityidentifiers"></a>`identifiers` | [`[VulnerabilityIdentifier!]!`](#vulnerabilityidentifier) | Identifiers of the vulnerability. |

--- a/ee/app/graphql/types/vulnerability_type.rb
+++ b/ee/app/graphql/types/vulnerability_type.rb
@@ -94,6 +94,11 @@ module Types
          description: 'Details of the vulnerability.',
          resolver: Resolvers::Vulnerabilities::DetailsResolver
+    field :false_positive, GraphQL::Types::Boolean, null: true,
+          description: 'Indicates whether the vulnerability is a false positive.',
+          resolver_method: :false_positive?,
+          feature_flag: :vulnerability_flags
    def confirmed_by
      ::Gitlab::Graphql::Loaders::BatchModelLoader.new(::User, object.confirmed_by_id).find
    end
@@ -146,5 +151,17 @@ module Types
    def has_solutions?
      object.finding&.remediations&.any?
    end
+    def false_positive?
+      return unless expose_false_positive?
+      object.finding&.false_positive? || false
+    end
+    private
+    def expose_false_positive?
+      object.project.licensed_feature_available?(:sast_fp_reduction)
+    end
  end
 end
--- a/ee/spec/graphql/types/vulnerability_type_spec.rb
+++ b/ee/spec/graphql/types/vulnerability_type_spec.rb
@@ -30,6 +30,7 @@ RSpec.describe GitlabSchema.types['Vulnerability'] do
       notes
       external_issue_links
       has_solutions
+       false_positive
       merge_request
       discussions
       confirmed_by
@@ -39,7 +40,7 @@ RSpec.describe GitlabSchema.types['Vulnerability'] do
  end
  before do
-    stub_licensed_features(security_dashboard: true)
+    stub_licensed_features(security_dashboard: true, sast_fp_reduction: true)
    project.add_developer(user)
  end
@@ -107,6 +108,68 @@ RSpec.describe GitlabSchema.types['Vulnerability'] do
    end
  end
+  describe 'false_positive' do
+    let_it_be(:vulnerability_with_finding) { create(:vulnerability, :with_findings, project: project) }
+    let(:query) do
+      %(
+        query {
+          project(fullPath: "#{project.full_path}") {
+            name
+            vulnerabilities {
+              nodes {
+                falsePositive
+              }
+            }
+          }
+        }
+      )
+    end
+    context 'when the vulnerability has a false-positive flag' do
+      before do
+        create(:vulnerabilities_flag, finding: vulnerability_with_finding.finding)
+      end
+      it 'returns true for false positive field' do
+        vulnerabilities = subject.dig('data', 'project', 'vulnerabilities', 'nodes')
+        expect(vulnerabilities.first['falsePositive']).to be(true)
+      end
+    end
+    context 'when the license is missing' do
+      before do
+        stub_licensed_features(security_dashboard: true, sast_fp_reduction: false)
+      end
+      it 'returns nil' do
+        vulnerabilities = subject.dig('data', 'project', 'vulnerabilities', 'nodes')
+        expect(vulnerabilities.first['falsePositive']).to be_nil
+      end
+    end
+    context 'when the vulnerability does not have any false positive flag' do
+      it 'returns false for false-positive field' do
+        vulnerabilities = subject.dig('data', 'project', 'vulnerabilities', 'nodes')
+        expect(vulnerabilities.first['falsePositive']).to be(false)
+      end
+    end
+    context 'when vulnerability_flags FF has been disabled' do
+      before do
+        stub_feature_flags(vulnerability_flags: false)
+      end
+      it 'exposes an error message' do
+        error_msg = subject.dig('errors').first['message']
+        expect(error_msg).to eql("Field 'falsePositive' doesn't exist on type 'Vulnerability'")
+      end
+    end
+  end
  describe '#description' do
    let_it_be(:vulnerability_with_finding) { create(:vulnerability, :with_findings, project: project) }