Add false-positive info of Vulnerability in GraphQL query

doc/api/graphql/reference/index.md

@@ -13885,6 +13885,7 @@ Represents a vulnerability.
 | <a id="vulnerabilitydismissedat"></a>`dismissedAt` | [`Time`](#time) | Timestamp of when the vulnerability state was changed to dismissed. |
 | <a id="vulnerabilitydismissedby"></a>`dismissedBy` | [`UserCore`](#usercore) | The user that dismissed the vulnerability. |
 | <a id="vulnerabilityexternalissuelinks"></a>`externalIssueLinks` | [`VulnerabilityExternalIssueLinkConnection!`](#vulnerabilityexternalissuelinkconnection) | List of external issue links related to the vulnerability. (see [Connections](#connections)) |
+| <a id="vulnerabilityfalsepositive"></a>`falsePositive` | [`Boolean`](#boolean) | Indicates whether the vulnerability is a false positive. Available only when feature flag `vulnerability_flags` is enabled. This flag is disabled by default, because the feature is experimental and is subject to change without notice. |
 | <a id="vulnerabilityhassolutions"></a>`hasSolutions` | [`Boolean`](#boolean) | Indicates whether there is a solution available for this vulnerability. |
 | <a id="vulnerabilityid"></a>`id` | [`ID!`](#id) | GraphQL ID of the vulnerability. |
 | <a id="vulnerabilityidentifiers"></a>`identifiers` | [`[VulnerabilityIdentifier!]!`](#vulnerabilityidentifier) | Identifiers of the vulnerability. |

ee/app/graphql/types/vulnerability_type.rb

@@ -94,6 +94,11 @@ module Types
           description: 'Details of the vulnerability.',
           resolver: Resolvers::Vulnerabilities::DetailsResolver
 
+    field :false_positive, GraphQL::Types::Boolean, null: true,
+          description: 'Indicates whether the vulnerability is a false positive.',
+          resolver_method: :false_positive?,
+          feature_flag: :vulnerability_flags
+
     def confirmed_by
       ::Gitlab::Graphql::Loaders::BatchModelLoader.new(::User, object.confirmed_by_id).find
     end
@@ -146,5 +151,17 @@ module Types
     def has_solutions?
       object.finding&.remediations&.any?
     end
+
+    def false_positive?
+      return unless expose_false_positive?
+
+      object.finding&.false_positive? || false
+    end
+
+    private
+
+    def expose_false_positive?
+      object.project.licensed_feature_available?(:sast_fp_reduction)
+    end
   end
 end

ee/spec/graphql/types/vulnerability_type_spec.rb

@@ -30,6 +30,7 @@ RSpec.describe GitlabSchema.types['Vulnerability'] do
        notes
        external_issue_links
        has_solutions
+       false_positive
        merge_request
        discussions
        confirmed_by
@@ -39,7 +40,7 @@ RSpec.describe GitlabSchema.types['Vulnerability'] do
   end
 
   before do
-    stub_licensed_features(security_dashboard: true)
+    stub_licensed_features(security_dashboard: true, sast_fp_reduction: true)
 
     project.add_developer(user)
   end
@@ -107,6 +108,68 @@ RSpec.describe GitlabSchema.types['Vulnerability'] do
     end
   end
 
+  describe 'false_positive' do
+    let_it_be(:vulnerability_with_finding) { create(:vulnerability, :with_findings, project: project) }
+
+    let(:query) do
+      %(
+        query {
+          project(fullPath: "#{project.full_path}") {
+            name
+            vulnerabilities {
+              nodes {
+                falsePositive
+              }
+            }
+          }
+        }
+      )
+    end
+
+    context 'when the vulnerability has a false-positive flag' do
+      before do
+        create(:vulnerabilities_flag, finding: vulnerability_with_finding.finding)
+      end
+
+      it 'returns true for false positive field' do
+        vulnerabilities = subject.dig('data', 'project', 'vulnerabilities', 'nodes')
+
+        expect(vulnerabilities.first['falsePositive']).to be(true)
+      end
+    end
+
+    context 'when the license is missing' do
+      before do
+        stub_licensed_features(security_dashboard: true, sast_fp_reduction: false)
+      end
+
+      it 'returns nil' do
+        vulnerabilities = subject.dig('data', 'project', 'vulnerabilities', 'nodes')
+
+        expect(vulnerabilities.first['falsePositive']).to be_nil
+      end
+    end
+
+    context 'when the vulnerability does not have any false positive flag' do
+      it 'returns false for false-positive field' do
+        vulnerabilities = subject.dig('data', 'project', 'vulnerabilities', 'nodes')
+
+        expect(vulnerabilities.first['falsePositive']).to be(false)
+      end
+    end
+
+    context 'when vulnerability_flags FF has been disabled' do
+      before do
+        stub_feature_flags(vulnerability_flags: false)
+      end
+
+      it 'exposes an error message' do
+        error_msg = subject.dig('errors').first['message']
+        expect(error_msg).to eql("Field 'falsePositive' doesn't exist on type 'Vulnerability'")
+      end
+    end
+  end
+
   describe '#description' do
     let_it_be(:vulnerability_with_finding) { create(:vulnerability, :with_findings, project: project) }