Commit 9ddd7507 authored by Russell Dickenson's avatar Russell Dickenson

Merge branch 'add_secret_detection_to_graphql' into 'master'

Add secret detection for GraphQL API

See merge request gitlab-org/gitlab!33797
parents 1c67875c c83a488b
......@@ -12907,7 +12907,7 @@ enum VulnerabilityIssueLinkType {
"""
Represents a vulnerability location. The fields with data will depend on the vulnerability report type
"""
union VulnerabilityLocation = VulnerabilityLocationContainerScanning | VulnerabilityLocationDast | VulnerabilityLocationDependencyScanning | VulnerabilityLocationSast
union VulnerabilityLocation = VulnerabilityLocationContainerScanning | VulnerabilityLocationDast | VulnerabilityLocationDependencyScanning | VulnerabilityLocationSast | VulnerabilityLocationSecretDetection
"""
Represents the location of a vulnerability found by a container security scan
......@@ -12999,6 +12999,36 @@ type VulnerabilityLocationSast {
vulnerableMethod: String
}
"""
Represents the location of a vulnerability found by a secret detection scan
"""
type VulnerabilityLocationSecretDetection {
"""
Number of the last relevant line in the vulnerable file
"""
endLine: String
"""
Path to the vulnerable file
"""
file: String
"""
Number of the first relevant line in the vulnerable file
"""
startLine: String
"""
Class containing the vulnerability
"""
vulnerableClass: String
"""
Method containing the vulnerability
"""
vulnerableMethod: String
}
"""
Check permissions for the current user on a vulnerability
"""
......
......@@ -38058,6 +38058,11 @@
"kind": "OBJECT",
"name": "VulnerabilityLocationSast",
"ofType": null
},
{
"kind": "OBJECT",
"name": "VulnerabilityLocationSecretDetection",
"ofType": null
}
]
},
......@@ -38309,6 +38314,89 @@
"enumValues": null,
"possibleTypes": null
},
{
"kind": "OBJECT",
"name": "VulnerabilityLocationSecretDetection",
"description": "Represents the location of a vulnerability found by a secret detection scan",
"fields": [
{
"name": "endLine",
"description": "Number of the last relevant line in the vulnerable file",
"args": [
],
"type": {
"kind": "SCALAR",
"name": "String",
"ofType": null
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "file",
"description": "Path to the vulnerable file",
"args": [
],
"type": {
"kind": "SCALAR",
"name": "String",
"ofType": null
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "startLine",
"description": "Number of the first relevant line in the vulnerable file",
"args": [
],
"type": {
"kind": "SCALAR",
"name": "String",
"ofType": null
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "vulnerableClass",
"description": "Class containing the vulnerability",
"args": [
],
"type": {
"kind": "SCALAR",
"name": "String",
"ofType": null
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "vulnerableMethod",
"description": "Method containing the vulnerability",
"args": [
],
"type": {
"kind": "SCALAR",
"name": "String",
"ofType": null
},
"isDeprecated": false,
"deprecationReason": null
}
],
"inputFields": null,
"interfaces": [
],
"enumValues": null,
"possibleTypes": null
},
{
"kind": "OBJECT",
"name": "VulnerabilityPermissions",
......@@ -1942,6 +1942,18 @@ Represents the location of a vulnerability found by a SAST scan
| `vulnerableClass` | String | Class containing the vulnerability |
| `vulnerableMethod` | String | Method containing the vulnerability |
## VulnerabilityLocationSecretDetection
Represents the location of a vulnerability found by a secret detection scan
| Name | Type | Description |
| --- | ---- | ---------- |
| `endLine` | String | Number of the last relevant line in the vulnerable file |
| `file` | String | Path to the vulnerable file |
| `startLine` | String | Number of the first relevant line in the vulnerable file |
| `vulnerableClass` | String | Class containing the vulnerability |
| `vulnerableMethod` | String | Method containing the vulnerability |
## VulnerabilityPermissions
Check permissions for the current user on a vulnerability
......
{"__schema":{"types":[{"kind":"UNION","name":"VulnerabilityLocation","possibleTypes":[{"name":"VulnerabilityLocationContainerScanning"},{"name":"VulnerabilityLocationDast"},{"name":"VulnerabilityLocationDependencyScanning"},{"name":"VulnerabilityLocationSast"}]}]}}
{"__schema":{"types":[{"kind":"UNION","name":"VulnerabilityLocation","possibleTypes":[{"name":"VulnerabilityLocationContainerScanning"},{"name":"VulnerabilityLocationDast"},{"name":"VulnerabilityLocationDependencyScanning"},{"name":"VulnerabilityLocationSast"},{"name":"VulnerabilityLocationSecretDetection"}]}]}}
......@@ -14,6 +14,9 @@ fragment Vulnerability on Vulnerability {
... on VulnerabilityLocationSast {
file
}
... on VulnerabilityLocationSecretDetection {
file
}
}
project {
nameWithNamespace
......
# frozen_string_literal: true
module Types
module VulnerabilityLocation
# rubocop: disable Graphql/AuthorizeTypes
class SecretDetectionType < BaseObject
graphql_name 'VulnerabilityLocationSecretDetection'
description 'Represents the location of a vulnerability found by a secret detection scan'
field :vulnerable_class, GraphQL::STRING_TYPE, null: true,
description: 'Class containing the vulnerability',
hash_key: :class
field :end_line, GraphQL::STRING_TYPE, null: true,
description: 'Number of the last relevant line in the vulnerable file'
field :file, GraphQL::STRING_TYPE, null: true,
description: 'Path to the vulnerable file'
field :vulnerable_method, GraphQL::STRING_TYPE, null: true,
description: 'Method containing the vulnerability',
hash_key: :method
field :start_line, GraphQL::STRING_TYPE, null: true,
description: 'Number of the first relevant line in the vulnerable file'
end
end
end
......@@ -10,7 +10,8 @@ module Types
possible_types VulnerabilityLocation::ContainerScanningType,
VulnerabilityLocation::DependencyScanningType,
VulnerabilityLocation::DastType,
VulnerabilityLocation::SastType
VulnerabilityLocation::SastType,
VulnerabilityLocation::SecretDetectionType
def self.resolve_type(object, context)
case object[:report_type]
......@@ -22,6 +23,8 @@ module Types
VulnerabilityLocation::DastType
when 'sast'
VulnerabilityLocation::SastType
when 'secret_detection'
VulnerabilityLocation::SecretDetectionType
else
raise UnexpectedReportType, "Report type must be one of #{::Vulnerabilities::Occurrence::REPORT_TYPES.keys}"
end
......
---
title: Add secret detection for GraphQL API
merge_request: 33797
author:
type: added
# frozen_string_literal: true
require 'spec_helper'
describe GitlabSchema.types['VulnerabilityLocationSecretDetection'] do
it do
expect(described_class).to have_graphql_fields(
:end_line,
:file,
:start_line,
:vulnerable_class,
:vulnerable_method
)
end
end
......@@ -46,6 +46,13 @@ RSpec.describe 'Query.vulnerabilities.location' do
vulnerableClass
vulnerableMethod
}
... on VulnerabilityLocationSecretDetection {
endLine
file
startLine
vulnerableClass
vulnerableMethod
}
}
QUERY
end
......@@ -174,6 +181,43 @@ RSpec.describe 'Query.vulnerabilities.location' do
end
end
context 'when the vulnerability was found by a secret detection scan' do
let_it_be(:vulnerability) do
create(:vulnerability, project: project, report_type: :secret_detection)
end
let_it_be(:metadata) do
{
location: {
class: 'VulnerableClass',
method: 'vulnerable_method',
file: 'vulnerable_file',
start_line: '420',
end_line: '666'
}
}
end
let_it_be(:finding) do
create(
:vulnerabilities_occurrence,
vulnerability: vulnerability,
raw_metadata: metadata.to_json
)
end
it 'returns the file and line numbers where the vulnerability is located' do
location = subject.first['location']
expect(location['__typename']).to eq('VulnerabilityLocationSecretDetection')
expect(location['file']).to eq('vulnerable_file')
expect(location['startLine']).to eq('420')
expect(location['endLine']).to eq('666')
expect(location['vulnerableClass']).to eq('VulnerableClass')
expect(location['vulnerableMethod']).to eq('vulnerable_method')
end
end
context 'when the vulnerability was found by a DAST scan' do
let_it_be(:vulnerability) do
create(:vulnerability, project: project, report_type: :dast)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment