Add secret detection for graphql

Refactor code refactor code Refactor code

Add secret detection for graphql
Refactor code refactor code Refactor code
c83a488b · Saikat Sarkar · 18596bcd · c83a488b · c83a488b · c83a488b
Commit c83a488b authored Jun 03, 2020 by Saikat Sarkar
10 changed files
--- a/doc/api/graphql/reference/gitlab_schema.graphql
+++ b/doc/api/graphql/reference/gitlab_schema.graphql
@@ -12791,7 +12791,7 @@ enum VulnerabilityIssueLinkType {
 """
 Represents a vulnerability location. The fields with data will depend on the vulnerability report type
 """
-union VulnerabilityLocation = VulnerabilityLocationContainerScanning | VulnerabilityLocationDast | VulnerabilityLocationDependencyScanning | VulnerabilityLocationSast
+union VulnerabilityLocation = VulnerabilityLocationContainerScanning | VulnerabilityLocationDast | VulnerabilityLocationDependencyScanning | VulnerabilityLocationSast | VulnerabilityLocationSecretDetection

 """
 Represents the location of a vulnerability found by a container security scan
@@ -12883,6 +12883,36 @@ type VulnerabilityLocationSast {
  vulnerableMethod: String
 }

+"""
+Represents the location of a vulnerability found by a secret detection scan
+"""
+type VulnerabilityLocationSecretDetection {
+  """
+  Number of the last relevant line in the vulnerable file
+  """
+  endLine: String
+
+  """
+  Path to the vulnerable file
+  """
+  file: String
+
+  """
+  Number of the first relevant line in the vulnerable file
+  """
+  startLine: String
+
+  """
+  Class containing the vulnerability
+  """
+  vulnerableClass: String
+
+  """
+  Method containing the vulnerability
+  """
+  vulnerableMethod: String
+}
+
 """
 Check permissions for the current user on a vulnerability
 """

--- a/doc/api/graphql/reference/gitlab_schema.json
+++ b/doc/api/graphql/reference/gitlab_schema.json
@@ -37709,6 +37709,11 @@
              "kind": "OBJECT",
              "name": "VulnerabilityLocationSast",
              "ofType": null
+            },
+            {
+              "kind": "OBJECT",
+              "name": "VulnerabilityLocationSecretDetection",
+              "ofType": null
            }
          ]
        },
@@ -37960,6 +37965,89 @@
          "enumValues": null,
          "possibleTypes": null
        },
+        {
+          "kind": "OBJECT",
+          "name": "VulnerabilityLocationSecretDetection",
+          "description": "Represents the location of a vulnerability found by a secret detection scan",
+          "fields": [
+            {
+              "name": "endLine",
+              "description": "Number of the last relevant line in the vulnerable file",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "file",
+              "description": "Path to the vulnerable file",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "startLine",
+              "description": "Number of the first relevant line in the vulnerable file",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "vulnerableClass",
+              "description": "Class containing the vulnerability",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "vulnerableMethod",
+              "description": "Method containing the vulnerability",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "SCALAR",
+                "name": "String",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            }
+          ],
+          "inputFields": null,
+          "interfaces": [
+
+          ],
+          "enumValues": null,
+          "possibleTypes": null
+        },
        {
          "kind": "OBJECT",
          "name": "VulnerabilityPermissions",
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -1923,6 +1923,18 @@ Represents the location of a vulnerability found by a SAST scan
 | `vulnerableClass` | String | Class containing the vulnerability |
 | `vulnerableMethod` | String | Method containing the vulnerability |

+## VulnerabilityLocationSecretDetection
+
+Represents the location of a vulnerability found by a secret detection scan
+
+| Name  | Type  | Description |
+| ---   |  ---- | ----------  |
+| `endLine` | String | Number of the last relevant line in the vulnerable file |
+| `file` | String | Path to the vulnerable file |
+| `startLine` | String | Number of the first relevant line in the vulnerable file |
+| `vulnerableClass` | String | Class containing the vulnerability |
+| `vulnerableMethod` | String | Method containing the vulnerability |
+
 ## VulnerabilityPermissions

 Check permissions for the current user on a vulnerability

--- a/ee/app/assets/javascripts/security_dashboard/graphql/fragmentTypes.json
+++ b/ee/app/assets/javascripts/security_dashboard/graphql/fragmentTypes.json
-{"__schema":{"types":[{"kind":"UNION","name":"VulnerabilityLocation","possibleTypes":[{"name":"VulnerabilityLocationContainerScanning"},{"name":"VulnerabilityLocationDast"},{"name":"VulnerabilityLocationDependencyScanning"},{"name":"VulnerabilityLocationSast"}]}]}}
+{"__schema":{"types":[{"kind":"UNION","name":"VulnerabilityLocation","possibleTypes":[{"name":"VulnerabilityLocationContainerScanning"},{"name":"VulnerabilityLocationDast"},{"name":"VulnerabilityLocationDependencyScanning"},{"name":"VulnerabilityLocationSast"},{"name":"VulnerabilityLocationSecretDetection"}]}]}}
--- a/ee/app/assets/javascripts/vulnerabilities/graphql/vulnerability.fragment.graphql
+++ b/ee/app/assets/javascripts/vulnerabilities/graphql/vulnerability.fragment.graphql
@@ -14,6 +14,9 @@ fragment Vulnerability on Vulnerability {
    ... on VulnerabilityLocationSast {
      file
    }
+    ... on VulnerabilityLocationSecretDetection {
+      file
+    }
  }
  project {
    nameWithNamespace

--- a/ee/app/graphql/types/vulnerability_location/secret_detection_type.rb
+++ b/ee/app/graphql/types/vulnerability_location/secret_detection_type.rb
+# frozen_string_literal: true
+
+module Types
+  module VulnerabilityLocation
+    # rubocop: disable Graphql/AuthorizeTypes
+    class SecretDetectionType < BaseObject
+      graphql_name 'VulnerabilityLocationSecretDetection'
+      description 'Represents the location of a vulnerability found by a secret detection scan'
+
+      field :vulnerable_class, GraphQL::STRING_TYPE, null: true,
+            description: 'Class containing the vulnerability',
+            hash_key: :class
+
+      field :end_line, GraphQL::STRING_TYPE, null: true,
+            description: 'Number of the last relevant line in the vulnerable file'
+
+      field :file, GraphQL::STRING_TYPE, null: true,
+            description: 'Path to the vulnerable file'
+
+      field :vulnerable_method, GraphQL::STRING_TYPE, null: true,
+            description: 'Method containing the vulnerability',
+            hash_key: :method
+
+      field :start_line, GraphQL::STRING_TYPE, null: true,
+            description: 'Number of the first relevant line in the vulnerable file'
+    end
+  end
+end
--- a/ee/app/graphql/types/vulnerability_location_type.rb
+++ b/ee/app/graphql/types/vulnerability_location_type.rb
@@ -10,7 +10,8 @@ module Types
    possible_types VulnerabilityLocation::ContainerScanningType,
                   VulnerabilityLocation::DependencyScanningType,
                   VulnerabilityLocation::DastType,
-                   VulnerabilityLocation::SastType
+                   VulnerabilityLocation::SastType,
+                   VulnerabilityLocation::SecretDetectionType

    def self.resolve_type(object, context)
      case object[:report_type]
@@ -22,6 +23,8 @@ module Types
        VulnerabilityLocation::DastType
      when 'sast'
        VulnerabilityLocation::SastType
+      when 'secret_detection'
+        VulnerabilityLocation::SecretDetectionType
      else
        raise UnexpectedReportType, "Report type must be one of #{::Vulnerabilities::Occurrence::REPORT_TYPES.keys}"
      end

--- a/ee/changelogs/unreleased/add_secret_detection_to_graphql.yml
+++ b/ee/changelogs/unreleased/add_secret_detection_to_graphql.yml
+---
+title: Add secret detection for GraphQL API
+merge_request: 33797
+author:
+type: added
--- a/ee/spec/graphql/types/vulnerability_location/secret_detection_type_spec.rb
+++ b/ee/spec/graphql/types/vulnerability_location/secret_detection_type_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe GitlabSchema.types['VulnerabilityLocationSecretDetection'] do
+  it do
+    expect(described_class).to have_graphql_fields(
+      :end_line,
+      :file,
+      :start_line,
+      :vulnerable_class,
+      :vulnerable_method
+    )
+  end
+end
--- a/ee/spec/requests/api/graphql/vulnerabilities/location_spec.rb
+++ b/ee/spec/requests/api/graphql/vulnerabilities/location_spec.rb
@@ -46,6 +46,13 @@ describe 'Query.vulnerabilities.location' do
          vulnerableClass
          vulnerableMethod
        }
+        ... on VulnerabilityLocationSecretDetection {
+          endLine
+          file
+          startLine
+          vulnerableClass
+          vulnerableMethod
+        }
      }
    QUERY
  end
@@ -174,6 +181,43 @@ describe 'Query.vulnerabilities.location' do
    end
  end

+  context 'when the vulnerability was found by a secret detection scan' do
+    let_it_be(:vulnerability) do
+      create(:vulnerability, project: project, report_type: :secret_detection)
+    end
+
+    let_it_be(:metadata) do
+      {
+        location: {
+          class: 'VulnerableClass',
+          method: 'vulnerable_method',
+          file: 'vulnerable_file',
+          start_line: '420',
+          end_line: '666'
+        }
+      }
+    end
+
+    let_it_be(:finding) do
+      create(
+        :vulnerabilities_occurrence,
+        vulnerability: vulnerability,
+        raw_metadata: metadata.to_json
+      )
+    end
+
+    it 'returns the file and line numbers where the vulnerability is located' do
+      location = subject.first['location']
+
+      expect(location['__typename']).to eq('VulnerabilityLocationSecretDetection')
+      expect(location['file']).to eq('vulnerable_file')
+      expect(location['startLine']).to eq('420')
+      expect(location['endLine']).to eq('666')
+      expect(location['vulnerableClass']).to eq('VulnerableClass')
+      expect(location['vulnerableMethod']).to eq('vulnerable_method')
+    end
+  end
+
  context 'when the vulnerability was found by a DAST scan' do
    let_it_be(:vulnerability) do
      create(:vulnerability, project: project, report_type: :dast)