Merge branch 'vulnerbility-findings-graphql-reference' into 'master'

DOC: Refer vulnerability_findings api to GraphQL See merge request gitlab-org/gitlab!77142

Merge branch 'vulnerbility-findings-graphql-reference' into 'master'
DOC: Refer vulnerability_findings api to GraphQL See merge request gitlab-org/gitlab!77142
d68ee8eb · Amy Qualls · e39da6a8 · 5e1efa90 · d68ee8eb · d68ee8eb
Commit d68ee8eb authored Dec 23, 2021 by Amy Qualls
Hide whitespace changes
Inline Side-by-side

Showing with 135 additions and 6 deletions

doc/api/vulnerabilities.md doc/api/vulnerabilities.md +4 -4

doc/api/vulnerability_findings.md doc/api/vulnerability_findings.md +131 -2

No files found.
--- a/doc/api/vulnerabilities.md
+++ b/doc/api/vulnerabilities.md
@@ -19,7 +19,7 @@ This API is in the process of being deprecated and considered unstable.
 The response payload may be subject to change or breakage
 across GitLab releases. Please use the
 [GraphQL API](graphql/reference/index.md#queryvulnerabilities)
-instead. See the [GraphQL examples](#replace-rest-with-graphql) to get started.
+instead. See the [GraphQL examples](#replace-vulnerability-rest-api-with-graphql) to get started.

 Every API call to vulnerabilities must be [authenticated](index.md#authentication).

@@ -273,11 +273,11 @@ Example response:
 }
 ```

-## Replace REST with GraphQL
+## Replace Vulnerability REST API with GraphQL

 To prepare for the [upcoming deprecation](https://gitlab.com/groups/gitlab-org/-/epics/5118) of
-this REST API endpoint, use the examples below to learn how to perform the equivalent operations
-using the GraphQL API.
+the Vulnerability REST API endpoint, use the examples below to perform the equivalent operations
+with the GraphQL API.

 ### GraphQL - Single vulnerability


--- a/doc/api/vulnerability_findings.md
+++ b/doc/api/vulnerability_findings.md
@@ -25,9 +25,11 @@ If a user is able to access the project but does not have permission to
 any request for vulnerability findings of this project results in a `403` status code.

 WARNING:
-This API is in an alpha stage and considered unstable.
+This API is in the process of being deprecated and considered unstable.
 The response payload may be subject to change or breakage
-across GitLab releases.
+across GitLab releases. Please use the
+[GraphQL API](graphql/reference/index.md#queryvulnerabilities)
+instead. See the [GraphQL examples](#replace-vulnerability-findings-rest-api-with-graphql) to get started.

 ## Vulnerability findings pagination

@@ -137,3 +139,130 @@ Example response:
  }
 ]
 ```
+
+## Replace Vulnerability Findings REST API with GraphQL
+
+To prepare for the [upcoming deprecation](https://gitlab.com/groups/gitlab-org/-/epics/5118) of
+the Vulnerability Findings REST API endpoint, use the examples below to perform the equivalent operations
+with the GraphQL API.
+
+### GraphQL - Project vulnerabilities
+
+Use [`Project.vulnerabilities`](graphql/reference/#projectvulnerabilities).
+
+```graphql
+{
+  project(fullPath: "root/security-reports") {
+    vulnerabilities {
+      nodes{
+        id
+        reportType
+        title
+        severity
+        scanner {
+          externalId
+          name
+          vendor
+        }
+        identifiers {
+          externalType
+          externalId
+          name
+          url
+        }
+        falsePositive
+        project {
+          id
+          name
+          fullPath
+        }
+        description
+        links {
+          name
+          url
+        }
+        location {
+          ... on
+          VulnerabilityLocationSast {
+            file
+            startLine
+            endLine
+            vulnerableClass
+            vulnerableMethod
+            blobPath
+          }
+        }
+        details {
+          ... on
+          VulnerabilityDetailCode {
+            description
+            fieldName
+            lang
+            name
+            value
+          }
+        }
+        state
+      }
+    }
+  }
+}
+```
+
+Example response:
+
+```json
+{
+  "data": {
+    "project": {
+      "vulnerabilities": {
+        "nodes": [
+          {
+            "id": "gid://gitlab/Vulnerability/236",
+            "reportType": "SAST",
+            "title": "Generic Object Injection Sink",
+            "severity": "CRITICAL",
+            "scanner": {
+              "externalId": "eslint",
+              "name": "ESLint",
+              "vendor": "GitLab"
+            },
+            "identifiers": [
+              {
+                "externalType": "eslint_rule_id",
+                "externalId": "security/detect-object-injection",
+                "name": "ESLint rule ID security/detect-object-injection",
+                "url": "https://github.com/nodesecurity/eslint-plugin-security#detect-object-injection"
+              },
+              {
+                "externalType": "cwe",
+                "externalId": "94",
+                "name": "CWE-94",
+                "url": "https://cwe.mitre.org/data/definitions/94.html"
+              }
+            ],
+            "falsePositive": false,
+            "project": {
+              "id": "gid://gitlab/Project/20",
+              "name": "Security Reports",
+              "fullPath": "root/security-reports"
+            },
+            "description": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution.",
+            "links": [],
+            "location": {
+              "file": "src/js/main.js",
+              "startLine": "28",
+              "endLine": "28",
+              "vulnerableClass": null,
+              "vulnerableMethod": null,
+              "blobPath": "/root/security-reports/-/blob/91031428a5b5dbb81e8d889738b1875c1bfea787/src/js/main.js"
+            },
+            "details": [],
+            "state": "DETECTED"
+          }
+        ]
+      }
+    }
+  }
+}
+```