Merge branch '210327-add-scanner-vendor-graphql-type' into 'master'

Add VulnerabilityScanner to be queried as single GraphQL type See merge request gitlab-org/gitlab!35109

Merge branch '210327-add-scanner-vendor-graphql-type' into 'master'
Add VulnerabilityScanner to be queried as single GraphQL type See merge request gitlab-org/gitlab!35109
216f8214 · Dmytro Zaporozhets · a8ade726 · e587d114 · 216f8214 · 216f8214
Commit 216f8214 authored Jul 02, 2020 by Dmytro Zaporozhets
28 changed files
--- a/doc/api/graphql/reference/gitlab_schema.graphql
+++ b/doc/api/graphql/reference/gitlab_schema.graphql
@@ -5398,6 +5398,31 @@ type Group {
    startDate: ISO8601Date!
  ): VulnerabilitiesCountByDayAndSeverityConnection
+  """
+  Vulnerability scanners reported on the project vulnerabilties of the group and its subgroups
+  """
+  vulnerabilityScanners(
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
+    after: String
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
+    before: String
+    """
+    Returns the first _n_ elements from the list.
+    """
+    first: Int
+    """
+    Returns the last _n_ elements from the list.
+    """
+    last: Int
+  ): VulnerabilityScannerConnection
  """
  Web URL of the group
  """
@@ -5525,6 +5550,31 @@ type InstanceSecurityDashboard {
    """
    last: Int
  ): ProjectConnection!
+  """
+  Vulnerability scanners reported on the vulnerabilties from projects selected in Instance Security Dashboard
+  """
+  vulnerabilityScanners(
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
+    after: String
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
+    before: String
+    """
+    Returns the first _n_ elements from the list.
+    """
+    first: Int
+    """
+    Returns the last _n_ elements from the list.
+    """
+    last: Int
+  ): VulnerabilityScannerConnection
 }
 """
@@ -9776,6 +9826,31 @@ type Project {
    state: [VulnerabilityState!]
  ): VulnerabilityConnection
+  """
+  Vulnerability scanners reported on the project vulnerabilties
+  """
+  vulnerabilityScanners(
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
+    after: String
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
+    before: String
+    """
+    Returns the first _n_ elements from the list.
+    """
+    first: Int
+    """
+    Returns the last _n_ elements from the list.
+    """
+    last: Int
+  ): VulnerabilityScannerConnection
  """
  Counts for each severity of vulnerability of the project
  """
@@ -14458,6 +14533,51 @@ type VulnerabilityScanner {
  Name of the vulnerability scanner
  """
  name: String
+  """
+  Type of the vulnerability report
+  """
+  reportType: VulnerabilityReportType
+  """
+  Vendor of the vulnerability scanner
+  """
+  vendor: String
+}
+"""
+The connection type for VulnerabilityScanner.
+"""
+type VulnerabilityScannerConnection {
+  """
+  A list of edges.
+  """
+  edges: [VulnerabilityScannerEdge]
+  """
+  A list of nodes.
+  """
+  nodes: [VulnerabilityScanner]
+  """
+  Information to aid in pagination.
+  """
+  pageInfo: PageInfo!
+}
+"""
+An edge in a connection.
+"""
+type VulnerabilityScannerEdge {
+  """
+  A cursor for use in pagination.
+  """
+  cursor: String!
+  """
+  The item at the end of the edge.
+  """
+  node: VulnerabilityScanner
 }
 """

--- a/doc/api/graphql/reference/gitlab_schema.json
+++ b/doc/api/graphql/reference/gitlab_schema.json
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -2222,6 +2222,8 @@ Represents a vulnerability scanner.
 | ---   |  ---- | ----------  |
 | `externalId` | String | External ID of the vulnerability scanner |
 | `name` | String | Name of the vulnerability scanner |
+| `reportType` | VulnerabilityReportType | Type of the vulnerability report |
+| `vendor` | String | Vendor of the vulnerability scanner |
 ## VulnerabilitySeveritiesCount

--- a/ee/app/graphql/ee/types/group_type.rb
+++ b/ee/app/graphql/ee/types/group_type.rb
@@ -36,6 +36,12 @@ module EE
              description: 'Vulnerabilities reported on the projects in the group and its subgroups',
              resolver: ::Resolvers::VulnerabilitiesResolver
+        field :vulnerability_scanners,
+              ::Types::VulnerabilityScannerType.connection_type,
+              null: true,
+              description: 'Vulnerability scanners reported on the project vulnerabilties of the group and its subgroups',
+              resolver: ::Resolvers::Vulnerabilities::ScannersResolver
        field :vulnerabilities_count_by_day_and_severity,
              ::Types::VulnerabilitiesCountByDayAndSeverityType.connection_type,
              null: true,

--- a/ee/app/graphql/ee/types/project_type.rb
+++ b/ee/app/graphql/ee/types/project_type.rb
@@ -18,6 +18,12 @@ module EE
              description: 'Vulnerabilities reported on the project',
              resolver: ::Resolvers::VulnerabilitiesResolver
+        field :vulnerability_scanners,
+              ::Types::VulnerabilityScannerType.connection_type,
+              null: true,
+              description: 'Vulnerability scanners reported on the project vulnerabilties',
+              resolver: ::Resolvers::Vulnerabilities::ScannersResolver
        field :vulnerability_severities_count, ::Types::VulnerabilitySeveritiesCountType, null: true,
               description: 'Counts for each severity of vulnerability of the project',
               resolve: -> (obj, _args, ctx) do

--- a/ee/app/graphql/representation/vulnerability_scanner_entry.rb
+++ b/ee/app/graphql/representation/vulnerability_scanner_entry.rb
+# frozen_string_literal: true
+module Representation
+  class VulnerabilityScannerEntry < SimpleDelegator
+    def initialize(raw_entry, report_type = raw_entry[:report_type])
+      @report_type = report_type
+      super(raw_entry)
+    end
+    attr_reader :raw_entry
+    def report_type
+      ::Vulnerabilities::Occurrence::REPORT_TYPES.key(@report_type) || @report_type
+    end
+    def ==(other)
+      self.class === other && id == other.id && report_type == other.report_type
+    end
+    def self.declarative_policy_class
+      'Vulnerabilities::ScannerPolicy'
+    end
+  end
+end
--- a/ee/app/graphql/resolvers/vulnerabilities/scanners_resolver.rb
+++ b/ee/app/graphql/resolvers/vulnerabilities/scanners_resolver.rb
+# frozen_string_literal: true
+module Resolvers
+  module Vulnerabilities
+    class ScannersResolver < VulnerabilitiesBaseResolver
+      type Types::VulnerabilityScannerType, null: true
+      def resolve(**args)
+        return ::Vulnerabilities::Scanner.none unless vulnerable
+        vulnerable
+          .vulnerability_scanners
+          .with_report_type
+          .map(&Representation::VulnerabilityScannerEntry.method(:new))
+      end
+    end
+  end
+end
--- a/ee/app/graphql/resolvers/vulnerabilities_resolver.rb
+++ b/ee/app/graphql/resolvers/vulnerabilities_resolver.rb
@@ -29,7 +29,7 @@ module Resolvers
    def resolve(**args)
      return Vulnerability.none unless vulnerable
-      vulnerabilities(args).with_findings.ordered
+      vulnerabilities(args).with_findings_and_scanner.ordered
    end
    private

--- a/ee/app/graphql/types/instance_security_dashboard_type.rb
+++ b/ee/app/graphql/types/instance_security_dashboard_type.rb
@@ -11,5 +11,11 @@ module Types
          null: false,
          authorize: :read_project,
          description: 'Projects selected in Instance Security Dashboard'
+    field :vulnerability_scanners,
+          ::Types::VulnerabilityScannerType.connection_type,
+          null: true,
+          description: 'Vulnerability scanners reported on the vulnerabilties from projects selected in Instance Security Dashboard',
+          resolver: ::Resolvers::Vulnerabilities::ScannersResolver
  end
 end
--- a/ee/app/graphql/types/vulnerability_scanner_type.rb
+++ b/ee/app/graphql/types/vulnerability_scanner_type.rb
 # frozen_string_literal: true
 module Types
-  # rubocop: disable Graphql/AuthorizeTypes
  class VulnerabilityScannerType < BaseObject
    graphql_name 'VulnerabilityScanner'
    description 'Represents a vulnerability scanner.'
+    authorize :read_vulnerability_scanner
    field :name, GraphQL::STRING_TYPE, null: true,
          description: 'Name of the vulnerability scanner'
    field :external_id, GraphQL::STRING_TYPE, null: true,
          description: 'External ID of the vulnerability scanner'
+    field :vendor, GraphQL::STRING_TYPE, null: true,
+          description: 'Vendor of the vulnerability scanner'
+    field :report_type, VulnerabilityReportTypeEnum, null: true,
+          description: 'Type of the vulnerability report'
  end
-  # rubocop: enable Graphql/AuthorizeTypes
 end
--- a/ee/app/graphql/types/vulnerability_type.rb
+++ b/ee/app/graphql/types/vulnerability_type.rb
@@ -44,7 +44,9 @@ module Types
    field :scanner, VulnerabilityScannerType, null: true,
          description: 'Scanner metadata for the vulnerability.',
-          resolve: -> (obj, _args, _ctx) { obj.finding&.scanner }
+          resolve: -> (obj, _args, _ctx) do
+            Representation::VulnerabilityScannerEntry.new(obj.finding&.scanner, obj.report_type)
+          end
    field :primary_identifier, VulnerabilityIdentifierType, null: true,
          description: 'Primary identifier of the vulnerability.',

--- a/ee/app/models/ee/group.rb
+++ b/ee/app/models/ee/group.rb
@@ -335,6 +335,12 @@ module EE
      )
    end
+    def vulnerability_scanners
+      ::Vulnerabilities::Scanner.where(
+        project: ::Project.for_group_and_its_subgroups(self).non_archived.without_deleted
+      )
+    end
    def max_personal_access_token_lifetime_from_now
      if max_personal_access_token_lifetime.present?
        max_personal_access_token_lifetime.days.from_now

--- a/ee/app/models/instance_security_dashboard.rb
+++ b/ee/app/models/instance_security_dashboard.rb
@@ -32,6 +32,12 @@ class InstanceSecurityDashboard
    Vulnerability.for_projects(projects)
  end
+  def vulnerability_scanners
+    return Vulnerabilities::Scanner.none if projects.empty?
+    Vulnerabilities::Scanner.for_projects(projects)
+  end
  private
  attr_reader :project_ids, :user

--- a/ee/app/models/vulnerabilities/scanner.rb
+++ b/ee/app/models/vulnerabilities/scanner.rb
@@ -14,5 +14,12 @@ module Vulnerabilities
    validates :vendor, length: { maximum: 255, allow_nil: false }
    scope :with_external_id, -> (external_ids) { where(external_id: external_ids) }
+    scope :for_projects, -> (project_ids) { where(project_id: project_ids) }
+    scope :with_report_type, -> do
+      joins(:occurrences)
+        .select('DISTINCT ON ("vulnerability_scanners"."external_id", "vulnerability_occurrences"."report_type") "vulnerability_scanners".*, "vulnerability_occurrences"."report_type" AS "report_type"')
+        .order('"vulnerability_scanners"."external_id" ASC, "vulnerability_occurrences"."report_type" ASC')
+    end
  end
 end
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -257,7 +257,10 @@ module EE
      rule { can?(:read_project) & iterations_available }.enable :read_iteration
-      rule { security_dashboard_enabled & can?(:developer_access) }.enable :read_vulnerability
+      rule { security_dashboard_enabled & can?(:developer_access) }.policy do
+        enable :read_vulnerability
+        enable :read_vulnerability_scanner
+      end
      rule { on_demand_scans_enabled & can?(:developer_access) }.enable :read_on_demand_scans
@@ -323,6 +326,7 @@ module EE
      rule { auditor & security_dashboard_enabled }.policy do
        enable :read_vulnerability
+        enable :read_vulnerability_scanner
      end
      rule { auditor & ~developer }.policy do

--- a/ee/app/policies/vulnerabilities/scanner_policy.rb
+++ b/ee/app/policies/vulnerabilities/scanner_policy.rb
+# frozen_string_literal: true
+module Vulnerabilities
+  class ScannerPolicy < BasePolicy
+    delegate { @subject.project }
+  end
+end
--- a/ee/changelogs/unreleased/210327-add-scanner-vendor-graphql-type.yml
+++ b/ee/changelogs/unreleased/210327-add-scanner-vendor-graphql-type.yml
+---
+title: Add vulnerability scanner query to GraphQL API
+merge_request: 35109
+author:
+type: added
--- a/ee/spec/graphql/ee/types/group_type_spec.rb
+++ b/ee/spec/graphql/ee/types/group_type_spec.rb
@@ -13,6 +13,7 @@ RSpec.describe GitlabSchema.types['Group'] do
  it { expect(described_class).to have_graphql_field(:groupTimelogsEnabled) }
  it { expect(described_class).to have_graphql_field(:timelogs, complexity: 5) }
  it { expect(described_class).to have_graphql_field(:vulnerabilities) }
+  it { expect(described_class).to have_graphql_field(:vulnerability_scanners) }
  it { expect(described_class).to have_graphql_field(:vulnerabilities_count_by_day_and_severity) }
  describe 'timelogs field' do

--- a/ee/spec/graphql/representation/vulnerability_scanner_entry_spec.rb
+++ b/ee/spec/graphql/representation/vulnerability_scanner_entry_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe Representation::VulnerabilityScannerEntry do
+  let(:project) { create(:project) }
+  let(:vulnerability_scanner) { create(:vulnerabilities_scanner, project: project) }
+  describe '.declarative_policy_class' do
+    subject { described_class.declarative_policy_class }
+    it { is_expected.to eq('Vulnerabilities::ScannerPolicy') }
+  end
+end
--- a/ee/spec/graphql/resolvers/vulnerabilities/scanners_resolver_spec.rb
+++ b/ee/spec/graphql/resolvers/vulnerabilities/scanners_resolver_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe Resolvers::Vulnerabilities::ScannersResolver do
+  include GraphqlHelpers
+  describe '#resolve' do
+    subject { resolve(described_class, obj: vulnerable, args: {}, ctx: { current_user: current_user }) }
+    let_it_be(:group) { create(:group) }
+    let_it_be(:project) { create(:project, group: group) }
+    let_it_be(:project_with_no_group) { create(:project) }
+    let_it_be(:user) { create(:user, security_dashboard_projects: [project_with_no_group]) }
+    let_it_be(:vulnerability_scanner_1) { create(:vulnerabilities_scanner, project: project) }
+    let_it_be(:finding_1) { create(:vulnerabilities_occurrence, project: project, scanner: vulnerability_scanner_1) }
+    let_it_be(:vulnerability_scanner_2) { create(:vulnerabilities_scanner, project: project_with_no_group) }
+    let_it_be(:finding_2) { create(:vulnerabilities_occurrence, project: project_with_no_group, scanner: vulnerability_scanner_2) }
+    let(:current_user) { user }
+    let(:vulnerable) { nil }
+    context 'when listing scanners for group' do
+      let(:vulnerable) { group }
+      it { is_expected.to contain_exactly(Representation::VulnerabilityScannerEntry.new(vulnerability_scanner_1, finding_1.report_type)) }
+    end
+    context 'when listing scanners for project' do
+      let(:vulnerable) { project_with_no_group }
+      it { is_expected.to contain_exactly(Representation::VulnerabilityScannerEntry.new(vulnerability_scanner_2, finding_2.report_type)) }
+    end
+    context 'when listing scanners for instance dashboard' do
+      let(:vulnerable) { nil }
+      before do
+        project_with_no_group.add_developer(current_user)
+      end
+      it { is_expected.to contain_exactly(Representation::VulnerabilityScannerEntry.new(vulnerability_scanner_2, finding_2.report_type)) }
+    end
+  end
+end
--- a/ee/spec/graphql/types/instance_security_dashboard_type_spec.rb
+++ b/ee/spec/graphql/types/instance_security_dashboard_type_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe GitlabSchema.types['InstanceSecurityDashboard'] do
  let_it_be(:user) { create(:user, security_dashboard_projects: [project]) }
  let(:fields) do
-    %i[projects]
+    %i[projects vulnerability_scanners]
  end
  before do

--- a/ee/spec/graphql/types/project_type_spec.rb
+++ b/ee/spec/graphql/types/project_type_spec.rb
@@ -15,7 +15,7 @@ RSpec.describe GitlabSchema.types['Project'] do
  it 'includes the ee specific fields' do
    expected_fields = %w[
-      service_desk_enabled service_desk_address vulnerabilities
+      service_desk_enabled service_desk_address vulnerabilities vulnerability_scanners
      requirement_states_count vulnerability_severities_count packages
      compliance_frameworks
    ]

--- a/ee/spec/graphql/types/vulnerability_scanner_type_spec.rb
+++ b/ee/spec/graphql/types/vulnerability_scanner_type_spec.rb
@@ -3,5 +3,21 @@
 require 'spec_helper'
 RSpec.describe GitlabSchema.types['VulnerabilityScanner'] do
-  it { expect(described_class).to have_graphql_fields(:name, :external_id) }
+  let_it_be(:project) { create(:project) }
+  let_it_be(:user) { create(:user) }
+  let(:fields) do
+    %i[name external_id vendor report_type]
+  end
+  before do
+    stub_licensed_features(security_dashboard: true)
+    project.add_developer(user)
+  end
+  subject { GitlabSchema.execute(query, context: { current_user: user }).as_json }
+  it { expect(described_class).to have_graphql_fields(fields) }
+  it { expect(described_class).to require_graphql_authorizations(:read_vulnerability_scanner) }
 end
--- a/ee/spec/models/group_spec.rb
+++ b/ee/spec/models/group_spec.rb
@@ -316,6 +316,24 @@ RSpec.describe Group do
    end
  end
+  describe '#vulnerability_scanners' do
+    subject { group.vulnerability_scanners }
+    let(:subgroup) { create(:group, parent: group) }
+    let(:group_project) { create(:project, namespace: group) }
+    let(:subgroup_project) { create(:project, namespace: subgroup) }
+    let(:archived_project) { create(:project, :archived, namespace: group) }
+    let(:deleted_project) { create(:project, pending_delete: true, namespace: group) }
+    let!(:group_vulnerability_scanner) { create(:vulnerabilities_scanner, project: group_project) }
+    let!(:subgroup_vulnerability_scanner) { create(:vulnerabilities_scanner, project: subgroup_project) }
+    let!(:archived_vulnerability_scanner) { create(:vulnerabilities_scanner, project: archived_project) }
+    let!(:deleted_vulnerability_scanner) { create(:vulnerabilities_scanner, project: deleted_project) }
+    it 'returns vulnerability scanners for all non-archived, non-deleted projects in the group and its subgroups' do
+      is_expected.to contain_exactly(group_vulnerability_scanner, subgroup_vulnerability_scanner)
+    end
+  end
  describe '#mark_ldap_sync_as_failed' do
    it 'sets the state to failed' do
      group.start_ldap_sync

--- a/ee/spec/models/instance_security_dashboard_spec.rb
+++ b/ee/spec/models/instance_security_dashboard_spec.rb
@@ -119,6 +119,25 @@ RSpec.describe InstanceSecurityDashboard do
    end
  end
+  describe '#vulnerability_scanners' do
+    let_it_be(:vulnerability_scanner1) { create(:vulnerabilities_scanner, project: project1) }
+    let_it_be(:vulnerability_scanner2) { create(:vulnerabilities_scanner, project: project2) }
+    context 'when the user cannot read all resources' do
+      it 'returns only vulnerability scanners from projects on their dashboard that they can read' do
+        expect(subject.vulnerability_scanners).to contain_exactly(vulnerability_scanner1)
+      end
+    end
+    context 'when the user can read all resources' do
+      let(:user) { create(:auditor) }
+      it "returns vulnerability scanners from all projects on the user's dashboard" do
+        expect(subject.vulnerability_scanners).to contain_exactly(vulnerability_scanner1, vulnerability_scanner2)
+      end
+    end
+  end
  describe '#full_path' do
    let(:user) { create(:user) }

--- a/ee/spec/models/project_spec.rb
+++ b/ee/spec/models/project_spec.rb
@@ -33,6 +33,7 @@ RSpec.describe Project do
    it { is_expected.to have_many(:path_locks) }
    it { is_expected.to have_many(:vulnerability_feedback) }
    it { is_expected.to have_many(:vulnerability_exports) }
+    it { is_expected.to have_many(:vulnerability_scanners) }
    it { is_expected.to have_many(:audit_events).dependent(false) }
    it { is_expected.to have_many(:protected_environments) }
    it { is_expected.to have_many(:approvers).dependent(:destroy) }

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -37,7 +37,7 @@ RSpec.describe ProjectPolicy do
    let(:additional_developer_permissions) do
      %i[
        admin_vulnerability_feedback read_project_security_dashboard read_feature_flag
-        read_vulnerability create_vulnerability create_vulnerability_export admin_vulnerability
+        read_vulnerability read_vulnerability_scanner create_vulnerability create_vulnerability_export admin_vulnerability
        admin_vulnerability_issue_link read_merge_train
      ]
    end
@@ -53,7 +53,7 @@ RSpec.describe ProjectPolicy do
        read_pipeline read_build read_commit_status read_container_image
        read_environment read_deployment read_merge_request read_pages
        create_merge_request_in award_emoji
-        read_project_security_dashboard read_vulnerability
+        read_project_security_dashboard read_vulnerability read_vulnerability_scanner
        read_software_license_policy
        read_threat_monitoring read_merge_train
      ]

--- a/ee/spec/policies/vulnerabilities/scanner_policy_spec.rb
+++ b/ee/spec/policies/vulnerabilities/scanner_policy_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe Vulnerabilities::ScannerPolicy do
+  describe 'read_vulnerability_scanner' do
+    let(:project) { create(:project) }
+    let(:user) { create(:user) }
+    let(:vulnerability_scanner) { create(:vulnerabilities_scanner, project: project) }
+    subject { described_class.new(user, vulnerability_scanner) }
+    context 'when the security_dashboard feature is enabled' do
+      before do
+        stub_licensed_features(security_dashboard: true)
+      end
+      context "when the current user has developer access to the vulnerability's project" do
+        before do
+          project.add_developer(user)
+        end
+        it { is_expected.to be_allowed(:read_vulnerability_scanner) }
+      end
+      context "when the current user does not have developer access to the vulnerability's project" do
+        it { is_expected.to be_disallowed(:read_vulnerability_scanner) }
+      end
+    end
+    context 'when the security_dashboard feature is disabled' do
+      before do
+        stub_licensed_features(security_dashboard: false)
+        project.add_developer(user)
+      end
+      it { is_expected.to be_disallowed(:read_vulnerability_scanner) }
+    end
+  end
+end