Add blobPath to VulnerabilityLocation types

- Update documentation - Update schema - Add changelog

Add blobPath to VulnerabilityLocation types
- Update documentation - Update schema - Add changelog
a380cabb · Subashis · f05278b6 · a380cabb · a380cabb · a380cabb
Commit a380cabb authored Jan 25, 2021 by Subashis
14 changed files
--- a/doc/api/graphql/reference/gitlab_schema.graphql
+++ b/doc/api/graphql/reference/gitlab_schema.graphql
@@ -27763,6 +27763,11 @@ type VulnerabilityLocationContainerScanning {
 Represents the location of a vulnerability found by a Coverage Fuzzing scan
 """
 type VulnerabilityLocationCoverageFuzzing {
+  """
+  Blob path to the vulnerable file
+  """
+  blobPath: String
+
  """
  Number of the last relevant line in the vulnerable file
  """
@@ -27818,6 +27823,11 @@ type VulnerabilityLocationDast {
 Represents the location of a vulnerability found by a dependency security scan
 """
 type VulnerabilityLocationDependencyScanning {
+  """
+  Blob path to the vulnerable file
+  """
+  blobPath: String
+
  """
  Dependency containing the vulnerability
  """
@@ -27833,6 +27843,11 @@ type VulnerabilityLocationDependencyScanning {
 Represents the location of a vulnerability found by a SAST scan
 """
 type VulnerabilityLocationSast {
+  """
+  Blob path to the vulnerable file
+  """
+  blobPath: String
+
  """
  Number of the last relevant line in the vulnerable file
  """
@@ -27863,6 +27878,11 @@ type VulnerabilityLocationSast {
 Represents the location of a vulnerability found by a secret detection scan
 """
 type VulnerabilityLocationSecretDetection {
+  """
+  Blob path to the vulnerable file
+  """
+  blobPath: String
+
  """
  Number of the last relevant line in the vulnerable file
  """

--- a/doc/api/graphql/reference/gitlab_schema.json
+++ b/doc/api/graphql/reference/gitlab_schema.json
@@ -80580,6 +80580,20 @@
          "name": "VulnerabilityLocationCoverageFuzzing",
          "description": "Represents the location of a vulnerability found by a Coverage Fuzzing scan",
          "fields": [
+            {
+              "name": "blobPath",
+              "description": "Blob path to the vulnerable file",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
            {
              "name": "endLine",
              "description": "Number of the last relevant line in the vulnerable file",
@@ -80732,6 +80746,20 @@
          "name": "VulnerabilityLocationDependencyScanning",
          "description": "Represents the location of a vulnerability found by a dependency security scan",
          "fields": [
+            {
+              "name": "blobPath",
+              "description": "Blob path to the vulnerable file",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
            {
              "name": "dependency",
              "description": "Dependency containing the vulnerability",
@@ -80773,6 +80801,20 @@
          "name": "VulnerabilityLocationSast",
          "description": "Represents the location of a vulnerability found by a SAST scan",
          "fields": [
+            {
+              "name": "blobPath",
+              "description": "Blob path to the vulnerable file",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
            {
              "name": "endLine",
              "description": "Number of the last relevant line in the vulnerable file",
@@ -80856,6 +80898,20 @@
          "name": "VulnerabilityLocationSecretDetection",
          "description": "Represents the location of a vulnerability found by a secret detection scan",
          "fields": [
+            {
+              "name": "blobPath",
+              "description": "Blob path to the vulnerable file",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
            {
              "name": "endLine",
              "description": "Number of the last relevant line in the vulnerable file",
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -4240,6 +4240,7 @@ Represents the location of a vulnerability found by a Coverage Fuzzing scan.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
+| `blobPath` | String | Blob path to the vulnerable file |
 | `endLine` | String | Number of the last relevant line in the vulnerable file |
 | `file` | String | Path to the vulnerable file |
 | `startLine` | String | Number of the first relevant line in the vulnerable file |
@@ -4263,6 +4264,7 @@ Represents the location of a vulnerability found by a dependency security scan.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
+| `blobPath` | String | Blob path to the vulnerable file |
 | `dependency` | VulnerableDependency | Dependency containing the vulnerability |
 | `file` | String | Path to the vulnerable file |

@@ -4272,6 +4274,7 @@ Represents the location of a vulnerability found by a SAST scan.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
+| `blobPath` | String | Blob path to the vulnerable file |
 | `endLine` | String | Number of the last relevant line in the vulnerable file |
 | `file` | String | Path to the vulnerable file |
 | `startLine` | String | Number of the first relevant line in the vulnerable file |
@@ -4284,6 +4287,7 @@ Represents the location of a vulnerability found by a secret detection scan.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
+| `blobPath` | String | Blob path to the vulnerable file |
 | `endLine` | String | Number of the last relevant line in the vulnerable file |
 | `file` | String | Path to the vulnerable file |
 | `startLine` | String | Number of the first relevant line in the vulnerable file |

--- a/ee/app/graphql/types/vulnerability_location/coverage_fuzzing_type.rb
+++ b/ee/app/graphql/types/vulnerability_location/coverage_fuzzing_type.rb
@@ -23,6 +23,9 @@ module Types

      field :start_line, GraphQL::STRING_TYPE, null: true,
            description: 'Number of the first relevant line in the vulnerable file'
+
+      field :blob_path, GraphQL::STRING_TYPE, null: true,
+            description: 'Blob path to the vulnerable file'
    end
  end
 end
--- a/ee/app/graphql/types/vulnerability_location/dependency_scanning_type.rb
+++ b/ee/app/graphql/types/vulnerability_location/dependency_scanning_type.rb
@@ -12,6 +12,9 @@ module Types

      field :file, GraphQL::STRING_TYPE, null: true,
            description: 'Path to the vulnerable file'
+
+      field :blob_path, GraphQL::STRING_TYPE, null: true,
+            description: 'Blob path to the vulnerable file'
    end
  end
 end
--- a/ee/app/graphql/types/vulnerability_location/sast_type.rb
+++ b/ee/app/graphql/types/vulnerability_location/sast_type.rb
@@ -23,6 +23,9 @@ module Types

      field :start_line, GraphQL::STRING_TYPE, null: true,
            description: 'Number of the first relevant line in the vulnerable file'
+
+      field :blob_path, GraphQL::STRING_TYPE, null: true,
+            description: 'Blob path to the vulnerable file'
    end
  end
 end
--- a/ee/app/graphql/types/vulnerability_location/secret_detection_type.rb
+++ b/ee/app/graphql/types/vulnerability_location/secret_detection_type.rb
@@ -23,6 +23,9 @@ module Types

      field :start_line, GraphQL::STRING_TYPE, null: true,
            description: 'Number of the first relevant line in the vulnerable file'
+
+      field :blob_path, GraphQL::STRING_TYPE, null: true,
+            description: 'Blob path to the vulnerable file'
    end
  end
 end
--- a/ee/app/graphql/types/vulnerability_type.rb
+++ b/ee/app/graphql/types/vulnerability_type.rb
@@ -115,7 +115,13 @@ module Types
    end

    def location
-      object.finding&.location&.merge(report_type: object.report_type)
+      object_location = object.finding&.location
+      if object_location['file']
+        branch = object.finding.pipelines&.last&.sha || project.default_branch
+        blob_path = ::Gitlab::Routing.url_helpers.project_blob_path(object.project, File.join(branch, object_location['file']))
+        object_location&.merge!(blob_path: blob_path) 
+      end
+      object_location&.merge(report_type: object.report_type) 
    end

    def scanner

--- a/ee/changelogs/unreleased/267521-add-blobPath-to-vulnerabilitylocation.yml
+++ b/ee/changelogs/unreleased/267521-add-blobPath-to-vulnerabilitylocation.yml
+---
+title: Add blobPath field to VulnerabilityLocation types in GraphQL
+merge_request: 52599
+author:
+type: added
--- a/ee/spec/graphql/types/vulnerability_location/coverage_fuzzing_type_spec.rb
+++ b/ee/spec/graphql/types/vulnerability_location/coverage_fuzzing_type_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GitlabSchema.types['VulnerabilityLocationCoverageFuzzing'] do
+  it do
+    expect(described_class).to have_graphql_fields(
+      :vulnerable_class,
+      :end_line,
+      :file,
+      :vulnerable_method,
+      :start_line,
+      :blob_path
+    )
+  end
+end
\ No newline at end of file
--- a/ee/spec/graphql/types/vulnerability_location/dependency_scanning_type_spec.rb
+++ b/ee/spec/graphql/types/vulnerability_location/dependency_scanning_type_spec.rb
@@ -3,5 +3,5 @@
 require 'spec_helper'

 RSpec.describe GitlabSchema.types['VulnerabilityLocationDependencyScanning'] do
-  it { expect(described_class).to have_graphql_fields(:dependency, :file) }
+  it { expect(described_class).to have_graphql_fields(:dependency, :file, :blob_path) }
 end
--- a/ee/spec/graphql/types/vulnerability_location/sast_type_spec.rb
+++ b/ee/spec/graphql/types/vulnerability_location/sast_type_spec.rb
@@ -9,7 +9,8 @@ RSpec.describe GitlabSchema.types['VulnerabilityLocationSast'] do
      :file,
      :start_line,
      :vulnerable_class,
-      :vulnerable_method
+      :vulnerable_method,
+      :blob_path
    )
  end
 end
--- a/ee/spec/graphql/types/vulnerability_location/secret_detection_type_spec.rb
+++ b/ee/spec/graphql/types/vulnerability_location/secret_detection_type_spec.rb
@@ -9,7 +9,8 @@ RSpec.describe GitlabSchema.types['VulnerabilityLocationSecretDetection'] do
      :file,
      :start_line,
      :vulnerable_class,
-      :vulnerable_method
+      :vulnerable_method,
+      :blob_path
    )
  end
 end
--- a/ee/spec/graphql/types/vulnerability_type_spec.rb
+++ b/ee/spec/graphql/types/vulnerability_type_spec.rb
@@ -74,6 +74,70 @@ RSpec.describe GitlabSchema.types['Vulnerability'] do
    end
  end

+  describe 'location' do
+    let_it_be(:pipeline) { create(:ci_pipeline, :success, project: project) }
+
+    context 'when there is file' do 
+      let(:query) do
+        %(
+          query {
+            project(fullPath: "#{project.full_path}") {
+              name
+              vulnerabilities {
+                nodes {
+                  location {
+                    ... on VulnerabilityLocationSast {
+                      file
+                      blobPath
+                    }
+                  }
+                }
+              }
+            }
+          }
+        )
+      end
+
+      let_it_be(:finding) { create(:vulnerabilities_finding, report_type: "sast", pipelines: [pipeline], project: project, vulnerability: vulnerability) }
+
+      it 'includes blobPath' do
+        location = subject.dig('data', 'project', 'vulnerabilities', 'nodes').first['location'] 
+        expect(location).to have_key('blobPath')
+        expect(location['blobPath']).to eq(
+          ::Gitlab::Routing.url_helpers.project_blob_path(project, File.join(finding.pipelines.last.sha, location['file']))
+        )
+      end
+    end  
+
+    context 'when there is no file' do
+      let(:query) do
+        %(
+          query {
+            project(fullPath: "#{project.full_path}") {
+              name
+              vulnerabilities {
+                nodes {
+                  location {
+                    ... on VulnerabilityLocationDast {
+                      path
+                    }
+                  }
+                }
+              }
+            }
+          }
+        )
+      end
+
+      let_it_be(:finding) { create(:vulnerabilities_finding, report_type: "dast", pipelines: [pipeline], project: project, vulnerability: vulnerability) }
+
+      it 'does not include blob_path' do
+        vulnerabilities = subject.dig('data', 'project', 'vulnerabilities', 'nodes')      
+        expect(vulnerabilities.first['location']).not_to have_key('blobPath')
+      end
+    end
+  end
+
  describe 'has_solutions' do
    let(:query) do
      %(