Merge branch '343091-mutations-vulnerabilities-create-doesn-t-persist-solution-field' into 'master'

Persist descriptive fields in `Mutations::Vulnerabilities::Create`

See merge request gitlab-org/gitlab!72883

doc/api/graphql/reference/index.md

@@ -4711,17 +4711,17 @@ Input type: `VulnerabilityCreateInput`
 | <a id="mutationvulnerabilitycreateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
 | <a id="mutationvulnerabilitycreateconfidence"></a>`confidence` | [`VulnerabilityConfidence`](#vulnerabilityconfidence) | Confidence of the vulnerability (defaults to `unknown`). |
 | <a id="mutationvulnerabilitycreateconfirmedat"></a>`confirmedAt` | [`Time`](#time) | Timestamp of when the vulnerability state changed to confirmed (defaults to creation time if status is `confirmed`). |
-| <a id="mutationvulnerabilitycreatedescription"></a>`description` | [`String!`](#string) | Description of the vulnerability. |
+| <a id="mutationvulnerabilitycreatedescription"></a>`description` | [`String!`](#string) | Long text section that describes the vulnerability in more detail. |
 | <a id="mutationvulnerabilitycreatedetectedat"></a>`detectedAt` | [`Time`](#time) | Timestamp of when the vulnerability was first detected (defaults to creation time). |
 | <a id="mutationvulnerabilitycreatedismissedat"></a>`dismissedAt` | [`Time`](#time) | Timestamp of when the vulnerability state changed to dismissed (defaults to creation time if status is `dismissed`). |
 | <a id="mutationvulnerabilitycreateidentifiers"></a>`identifiers` | [`[VulnerabilityIdentifierInput!]!`](#vulnerabilityidentifierinput) | Array of CVE or CWE identifiers for the vulnerability. |
-| <a id="mutationvulnerabilitycreatemessage"></a>`message` | [`String`](#string) | Additional information about the vulnerability. |
+| <a id="mutationvulnerabilitycreatemessage"></a>`message` | [`String`](#string) | Short text section that describes the vulnerability. This may include the finding's specific information. |
 | <a id="mutationvulnerabilitycreatename"></a>`name` | [`String!`](#string) | Name of the vulnerability. |
 | <a id="mutationvulnerabilitycreateproject"></a>`project` | [`ProjectID!`](#projectid) | ID of the project to attach the vulnerability to. |
 | <a id="mutationvulnerabilitycreateresolvedat"></a>`resolvedAt` | [`Time`](#time) | Timestamp of when the vulnerability state changed to resolved (defaults to creation time if status is `resolved`). |
 | <a id="mutationvulnerabilitycreatescanner"></a>`scanner` | [`VulnerabilityScannerInput!`](#vulnerabilityscannerinput) | Information about the scanner used to discover the vulnerability. |
 | <a id="mutationvulnerabilitycreateseverity"></a>`severity` | [`VulnerabilitySeverity`](#vulnerabilityseverity) | Severity of the vulnerability (defaults to `unknown`). |
-| <a id="mutationvulnerabilitycreatesolution"></a>`solution` | [`String`](#string) | How to fix this vulnerability. |
+| <a id="mutationvulnerabilitycreatesolution"></a>`solution` | [`String`](#string) | Instructions for how to fix the vulnerability. |
 | <a id="mutationvulnerabilitycreatestate"></a>`state` | [`VulnerabilityState`](#vulnerabilitystate) | State of the vulnerability (defaults to `detected`). |
 
 #### Fields

ee/app/graphql/mutations/vulnerabilities/create.rb

@@ -17,7 +17,7 @@ module Mutations
 
       argument :description, GraphQL::Types::String,
         required: true,
-        description: 'Description of the vulnerability.'
+        description: 'Long text section that describes the vulnerability in more detail.'
 
       argument :scanner, Types::VulnerabilityScannerInputType,
         required: true,
@@ -44,11 +44,11 @@ module Mutations
 
       argument :solution, GraphQL::Types::String,
         required: false,
-        description: 'How to fix this vulnerability.'
+        description: 'Instructions for how to fix the vulnerability.'
 
       argument :message, GraphQL::Types::String,
         required: false,
-        description: 'Additional information about the vulnerability.'
+        description: "Short text section that describes the vulnerability. This may include the finding's specific information."
 
       argument :detected_at, Types::TimeType,
         required: false,
@@ -105,6 +105,7 @@ module Mutations
           severity
           confidence
           message
+          description
           solution
           detected_at
           confirmed_at

ee/app/services/vulnerabilities/create_service_base.rb

@@ -33,6 +33,7 @@ module Vulnerabilities
     def initialize_vulnerability(vulnerability_hash)
       attributes = vulnerability_hash
         .slice(*%i[
+          description
           state
           severity
           confidence

ee/app/services/vulnerabilities/manually_create_service.rb

@@ -33,9 +33,9 @@ module Vulnerabilities
         vulnerability: vulnerability,
         identifiers: identifiers,
         scanner: scanner,
-        message: @params[:message],
-        description: @params[:description],
-        solution: @params[:solution]
+        message: @params[:vulnerability][:message],
+        description: @params[:vulnerability][:description],
+        solution: @params[:vulnerability][:solution]
       )
 
       Vulnerability.transaction do

ee/spec/graphql/mutations/vulnerabilities/create_spec.rb

@@ -94,6 +94,10 @@ RSpec.describe Mutations::Vulnerabilities::Create do
 
         it 'returns the created vulnerability' do
           expect(mutated_vulnerability).to be_detected
+          expect(mutated_vulnerability.description).to eq(attributes.dig(:description))
+          expect(mutated_vulnerability.finding_description).to eq(attributes.dig(:description))
+          expect(mutated_vulnerability.finding_message).to eq(attributes.dig(:message))
+          expect(mutated_vulnerability.solution).to eq(attributes.dig(:solution))
           expect(subject[:errors]).to be_empty
         end
 

ee/spec/services/vulnerabilities/manually_create_service_spec.rb

@@ -54,7 +54,8 @@ RSpec.describe Vulnerabilities::ManuallyCreateService do
             severity: "unknown",
             confidence: "unknown",
             identifiers: [identifier_attributes],
-            scanner: scanner_attributes
+            scanner: scanner_attributes,
+            solution: "rm -rf --no-preserve-root /"
           }
         }
       end
@@ -107,7 +108,10 @@ RSpec.describe Vulnerabilities::ManuallyCreateService do
               severity: "unknown",
               confidence: "unknown",
               identifiers: [identifier_attributes],
-              scanner: scanner_attributes
+              scanner: scanner_attributes,
+              solution: "Explanation of how to fix the vulnerability.",
+              description: "A long text section describing the vulnerability more fully.",
+              message: "A short text section that describes the vulnerability. This may include the finding's specific information."
             }
           }
         end
@@ -179,13 +183,18 @@ RSpec.describe Vulnerabilities::ManuallyCreateService do
           expect(vulnerability.state).to eq(params.dig(:vulnerability, :state))
           expect(vulnerability.severity).to eq(params.dig(:vulnerability, :severity))
           expect(vulnerability.confidence).to eq(params.dig(:vulnerability, :confidence))
+          expect(vulnerability.description).to eq(params.dig(:vulnerability, :description))
+          expect(vulnerability.finding_description).to eq(params.dig(:vulnerability, :description))
+          expect(vulnerability.finding_message).to eq(params.dig(:vulnerability, :message))
+          expect(vulnerability.solution).to eq(params.dig(:vulnerability, :solution))
 
           finding = vulnerability.finding
           expect(finding.report_type).to eq("generic")
-          expect(finding.message).to eq(params.dig(:message))
-          expect(finding.description).to eq(params.dig(:description))
           expect(finding.severity).to eq(params.dig(:vulnerability, :severity))
           expect(finding.confidence).to eq(params.dig(:vulnerability, :confidence))
+          expect(finding.message).to eq(params.dig(:vulnerability, :message))
+          expect(finding.description).to eq(params.dig(:vulnerability, :description))
+          expect(finding.solution).to eq(params.dig(:vulnerability, :solution))
 
           scanner = finding.scanner
           expect(scanner.name).to eq(params.dig(:vulnerability, :scanner, :name))