Commit d68ee8eb authored by Amy Qualls's avatar Amy Qualls

Merge branch 'vulnerbility-findings-graphql-reference' into 'master'

DOC: Refer vulnerability_findings api to GraphQL

See merge request gitlab-org/gitlab!77142
parents e39da6a8 5e1efa90
...@@ -19,7 +19,7 @@ This API is in the process of being deprecated and considered unstable. ...@@ -19,7 +19,7 @@ This API is in the process of being deprecated and considered unstable.
The response payload may be subject to change or breakage The response payload may be subject to change or breakage
across GitLab releases. Please use the across GitLab releases. Please use the
[GraphQL API](graphql/reference/index.md#queryvulnerabilities) [GraphQL API](graphql/reference/index.md#queryvulnerabilities)
instead. See the [GraphQL examples](#replace-rest-with-graphql) to get started. instead. See the [GraphQL examples](#replace-vulnerability-rest-api-with-graphql) to get started.
Every API call to vulnerabilities must be [authenticated](index.md#authentication). Every API call to vulnerabilities must be [authenticated](index.md#authentication).
...@@ -273,11 +273,11 @@ Example response: ...@@ -273,11 +273,11 @@ Example response:
} }
``` ```
## Replace REST with GraphQL ## Replace Vulnerability REST API with GraphQL
To prepare for the [upcoming deprecation](https://gitlab.com/groups/gitlab-org/-/epics/5118) of To prepare for the [upcoming deprecation](https://gitlab.com/groups/gitlab-org/-/epics/5118) of
this REST API endpoint, use the examples below to learn how to perform the equivalent operations the Vulnerability REST API endpoint, use the examples below to perform the equivalent operations
using the GraphQL API. with the GraphQL API.
### GraphQL - Single vulnerability ### GraphQL - Single vulnerability
......
...@@ -25,9 +25,11 @@ If a user is able to access the project but does not have permission to ...@@ -25,9 +25,11 @@ If a user is able to access the project but does not have permission to
any request for vulnerability findings of this project results in a `403` status code. any request for vulnerability findings of this project results in a `403` status code.
WARNING: WARNING:
This API is in an alpha stage and considered unstable. This API is in the process of being deprecated and considered unstable.
The response payload may be subject to change or breakage The response payload may be subject to change or breakage
across GitLab releases. across GitLab releases. Please use the
[GraphQL API](graphql/reference/index.md#queryvulnerabilities)
instead. See the [GraphQL examples](#replace-vulnerability-findings-rest-api-with-graphql) to get started.
## Vulnerability findings pagination ## Vulnerability findings pagination
...@@ -137,3 +139,130 @@ Example response: ...@@ -137,3 +139,130 @@ Example response:
} }
] ]
``` ```
## Replace Vulnerability Findings REST API with GraphQL
To prepare for the [upcoming deprecation](https://gitlab.com/groups/gitlab-org/-/epics/5118) of
the Vulnerability Findings REST API endpoint, use the examples below to perform the equivalent operations
with the GraphQL API.
### GraphQL - Project vulnerabilities
Use [`Project.vulnerabilities`](graphql/reference/#projectvulnerabilities).
```graphql
{
project(fullPath: "root/security-reports") {
vulnerabilities {
nodes{
id
reportType
title
severity
scanner {
externalId
name
vendor
}
identifiers {
externalType
externalId
name
url
}
falsePositive
project {
id
name
fullPath
}
description
links {
name
url
}
location {
... on
VulnerabilityLocationSast {
file
startLine
endLine
vulnerableClass
vulnerableMethod
blobPath
}
}
details {
... on
VulnerabilityDetailCode {
description
fieldName
lang
name
value
}
}
state
}
}
}
}
```
Example response:
```json
{
"data": {
"project": {
"vulnerabilities": {
"nodes": [
{
"id": "gid://gitlab/Vulnerability/236",
"reportType": "SAST",
"title": "Generic Object Injection Sink",
"severity": "CRITICAL",
"scanner": {
"externalId": "eslint",
"name": "ESLint",
"vendor": "GitLab"
},
"identifiers": [
{
"externalType": "eslint_rule_id",
"externalId": "security/detect-object-injection",
"name": "ESLint rule ID security/detect-object-injection",
"url": "https://github.com/nodesecurity/eslint-plugin-security#detect-object-injection"
},
{
"externalType": "cwe",
"externalId": "94",
"name": "CWE-94",
"url": "https://cwe.mitre.org/data/definitions/94.html"
}
],
"falsePositive": false,
"project": {
"id": "gid://gitlab/Project/20",
"name": "Security Reports",
"fullPath": "root/security-reports"
},
"description": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution.",
"links": [],
"location": {
"file": "src/js/main.js",
"startLine": "28",
"endLine": "28",
"vulnerableClass": null,
"vulnerableMethod": null,
"blobPath": "/root/security-reports/-/blob/91031428a5b5dbb81e8d889738b1875c1bfea787/src/js/main.js"
},
"details": [],
"state": "DETECTED"
}
]
}
}
}
}
```
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment