Merge branch '210327-add-scanner-filter' into 'master'

Add scanner filter in Vulnerability GraphQL API

See merge request gitlab-org/gitlab!34824

doc/api/graphql/reference/gitlab_schema.graphql

@@ -5127,6 +5127,11 @@ type Group {
     """
     reportType: [VulnerabilityReportType!]
 
+    """
+    Filter vulnerabilities by scanner
+    """
+    scanner: [String!]
+
     """
     Filter vulnerabilities by severity
     """
@@ -9454,6 +9459,11 @@ type Project {
     """
     reportType: [VulnerabilityReportType!]
 
+    """
+    Filter vulnerabilities by scanner
+    """
+    scanner: [String!]
+
     """
     Filter vulnerabilities by severity
     """
@@ -10100,6 +10110,11 @@ type Query {
     """
     reportType: [VulnerabilityReportType!]
 
+    """
+    Filter vulnerabilities by scanner
+    """
+    scanner: [String!]
+
     """
     Filter vulnerabilities by severity
     """

doc/api/graphql/reference/gitlab_schema.json

@@ -14003,6 +14003,24 @@
                   },
                   "defaultValue": null
                 },
+                {
+                  "name": "scanner",
+                  "description": "Filter vulnerabilities by scanner",
+                  "type": {
+                    "kind": "LIST",
+                    "name": null,
+                    "ofType": {
+                      "kind": "NON_NULL",
+                      "name": null,
+                      "ofType": {
+                        "kind": "SCALAR",
+                        "name": "String",
+                        "ofType": null
+                      }
+                    }
+                  },
+                  "defaultValue": null
+                },
                 {
                   "name": "after",
                   "description": "Returns the elements in the list that come after the specified cursor.",
@@ -27629,6 +27647,24 @@
                   },
                   "defaultValue": null
                 },
+                {
+                  "name": "scanner",
+                  "description": "Filter vulnerabilities by scanner",
+                  "type": {
+                    "kind": "LIST",
+                    "name": null,
+                    "ofType": {
+                      "kind": "NON_NULL",
+                      "name": null,
+                      "ofType": {
+                        "kind": "SCALAR",
+                        "name": "String",
+                        "ofType": null
+                      }
+                    }
+                  },
+                  "defaultValue": null
+                },
                 {
                   "name": "after",
                   "description": "Returns the elements in the list that come after the specified cursor.",
@@ -29613,6 +29649,24 @@
                   },
                   "defaultValue": null
                 },
+                {
+                  "name": "scanner",
+                  "description": "Filter vulnerabilities by scanner",
+                  "type": {
+                    "kind": "LIST",
+                    "name": null,
+                    "ofType": {
+                      "kind": "NON_NULL",
+                      "name": null,
+                      "ofType": {
+                        "kind": "SCALAR",
+                        "name": "String",
+                        "ofType": null
+                      }
+                    }
+                  },
+                  "defaultValue": null
+                },
                 {
                   "name": "after",
                   "description": "Returns the elements in the list that come after the specified cursor.",

ee/app/finders/security/vulnerabilities_finder.rb

@@ -27,6 +27,7 @@ module Security
       filter_by_report_types
       filter_by_severities
       filter_by_states
+      filter_by_scanners
 
       vulnerabilities
     end
@@ -58,5 +59,11 @@ module Security
         @vulnerabilities = vulnerabilities.with_states(filters[:state])
       end
     end
+
+    def filter_by_scanners
+      if filters[:scanner].present?
+        @vulnerabilities = vulnerabilities.with_scanners(filters[:scanner])
+      end
+    end
   end
 end

ee/app/graphql/resolvers/vulnerabilities_resolver.rb

@@ -22,6 +22,10 @@ module Resolvers
              required: false,
              description: 'Filter vulnerabilities by state'
 
+    argument :scanner, [GraphQL::STRING_TYPE],
+             required: false,
+             description: 'Filter vulnerabilities by scanner'
+
     def resolve(**args)
       return Vulnerability.none unless vulnerable
 

ee/app/models/vulnerabilities/occurrence.rb

@@ -79,7 +79,7 @@ module Vulnerabilities
     validates :metadata_version, presence: true
     validates :raw_metadata, presence: true
 
-    delegate :name, to: :scanner, prefix: true, allow_nil: true
+    delegate :name, :external_id, to: :scanner, prefix: true, allow_nil: true
 
     scope :report_type, -> (type) { where(report_type: report_types[type]) }
     scope :ordered, -> { order(severity: :desc, confidence: :desc, id: :asc) }

ee/app/models/vulnerability.rb

@@ -65,6 +65,7 @@ class Vulnerability < ApplicationRecord
   scope :with_report_types, -> (report_types) { where(report_type: report_types) }
   scope :with_severities, -> (severities) { where(severity: severities) }
   scope :with_states, -> (states) { where(state: states) }
+  scope :with_scanners, -> (scanners) { joins(findings: :scanner).merge(Vulnerabilities::Scanner.with_external_id(scanners)) }
   scope :counts_by_severity, -> { group(:severity).count }
 
   class << self
@@ -110,7 +111,7 @@ class Vulnerability < ApplicationRecord
     super || finding&.dismissal_feedback&.author_id
   end
 
-  delegate :scanner_name, :metadata, :message, :cve,
+  delegate :scanner_name, :scanner_external_id, :metadata, :message, :cve,
            to: :finding, prefix: true, allow_nil: true
 
   delegate :default_branch, :name, to: :project, prefix: true, allow_nil: true

ee/changelogs/unreleased/210327-add-scanner-filter.yml

+---
+title: Add scanner filter in Vulnerability GraphQL API
+merge_request: 34824
+author:
+type: added

ee/spec/finders/security/vulnerabilities_finder_spec.rb

@@ -6,15 +6,15 @@ RSpec.describe Security::VulnerabilitiesFinder do
   let_it_be(:project) { create(:project) }
 
   let_it_be(:vulnerability1) do
-    create(:vulnerability, severity: :low, report_type: :sast, state: :detected, project: project)
+    create(:vulnerability, :with_findings, severity: :low, report_type: :sast, state: :detected, project: project)
   end
 
   let_it_be(:vulnerability2) do
-    create(:vulnerability, severity: :medium, report_type: :dast, state: :dismissed, project: project)
+    create(:vulnerability, :with_findings, severity: :medium, report_type: :dast, state: :dismissed, project: project)
   end
 
   let_it_be(:vulnerability3) do
-    create(:vulnerability, severity: :high, report_type: :dependency_scanning, state: :confirmed, project: project)
+    create(:vulnerability, :with_findings, severity: :high, report_type: :dependency_scanning, state: :confirmed, project: project)
   end
 
   let(:filters) { {} }
@@ -58,6 +58,14 @@ RSpec.describe Security::VulnerabilitiesFinder do
     end
   end
 
+  context 'when filtered by scanner' do
+    let(:filters) { { scanner: [vulnerability1.finding_scanner_external_id, vulnerability3.finding_scanner_external_id] } }
+
+    it 'only returns vulnerabilities matching the given scanners' do
+      is_expected.to contain_exactly(vulnerability1, vulnerability3)
+    end
+  end
+
   context 'when filtered by project' do
     let(:group) { create(:group) }
     let(:another_project) { create(:project, namespace: group) }

ee/spec/graphql/resolvers/vulnerabilities_resolver_spec.rb

@@ -12,15 +12,15 @@ RSpec.describe Resolvers::VulnerabilitiesResolver do
     let_it_be(:user) { create(:user, security_dashboard_projects: [project]) }
 
     let_it_be(:low_vulnerability) do
-      create(:vulnerability, :detected, :low, :dast, project: project)
+      create(:vulnerability, :with_findings, :detected, :low, :dast, project: project)
     end
 
     let_it_be(:critical_vulnerability) do
-      create(:vulnerability, :detected, :critical, :sast, project: project)
+      create(:vulnerability, :with_findings, :detected, :critical, :sast, project: project)
     end
 
     let_it_be(:high_vulnerability) do
-      create(:vulnerability, :dismissed, :high, :container_scanning, project: project)
+      create(:vulnerability, :with_findings, :dismissed, :high, :container_scanning, project: project)
     end
 
     let(:current_user) { user }
@@ -49,6 +49,14 @@ RSpec.describe Resolvers::VulnerabilitiesResolver do
       end
     end
 
+    context 'when given scanner' do
+      let(:filters) { { scanner: [high_vulnerability.finding_scanner_external_id] } }
+
+      it 'only returns vulnerabilities of the given scanner' do
+        is_expected.to contain_exactly(high_vulnerability)
+      end
+    end
+
     context 'when given report types' do
       let(:filters) { { report_type: %i[dast sast] } }
 

ee/spec/models/vulnerability_spec.rb

@@ -140,6 +140,19 @@ RSpec.describe Vulnerability do
     end
   end
 
+  describe '.with_scanners' do
+    let!(:detected_vulnerability) { create(:vulnerability, :detected, :with_findings) }
+    let!(:dismissed_vulnerability) { create(:vulnerability, :dismissed, :with_findings) }
+    let!(:confirmed_vulnerability) { create(:vulnerability, :confirmed, :with_findings) }
+    let(:scanners) { [detected_vulnerability.finding_scanner_external_id, confirmed_vulnerability.finding_scanner_external_id] }
+
+    subject { described_class.with_scanners(scanners) }
+
+    it 'returns vulnerabilities matching the given scanners' do
+      is_expected.to contain_exactly(detected_vulnerability, confirmed_vulnerability)
+    end
+  end
+
   describe '.ordered' do
     subject { described_class.ordered }