Respond with finding UUID when creating Starboard vulnerability

c225cc3e · Dominic Bauer · Andy Soiron · ece5fea4 · c225cc3e · c225cc3e
Commit c225cc3e authored Feb 01, 2022 by Dominic Bauer Committed by Andy Soiron Feb 01, 2022
4 changed files
--- a/doc/development/internal_api/index.md
+++ b/doc/development/internal_api/index.md
@@ -507,7 +507,7 @@ curl --request POST --header "Gitlab-Kas-Api-Request: <JWT token>" \

 Called from the GitLab Agent Server (`kas`) to create a security vulnerability
 from a Starboard vulnerability report. This request is idempotent. Multiple requests with the same data
-create a single vulnerability.
+create a single vulnerability. The response contains the UUID of the created vulnerability finding.

 | Attribute       | Type   | Required | Description |
 |:----------------|:-------|:---------|:------------|
@@ -553,6 +553,14 @@ curl --request PUT --header "Gitlab-Kas-Api-Request: <JWT token>" \
 }'
 ```

+Example response:
+
+```json
+{
+  "uuid": "4773b2ee-5ba5-5e9f-b48c-5f7a17f0faac"
+}
+```
+
 ## Subscriptions

 The subscriptions endpoint is used by [CustomersDot](https://gitlab.com/gitlab-org/customers-gitlab-com) (`customers.gitlab.com`)

--- a/ee/app/models/ee/vulnerability.rb
+++ b/ee/app/models/ee/vulnerability.rb
@@ -127,7 +127,7 @@ module EE
        joins(:findings).merge(Vulnerabilities::Finding.by_location_cluster_agent(agent_ids))
      end

-      delegate :scanner_name, :scanner_external_id, :scanner_id, :metadata, :message, :description, :details,
+      delegate :scanner_name, :scanner_external_id, :scanner_id, :metadata, :message, :description, :details, :uuid,
               to: :finding, prefix: true, allow_nil: true

      delegate :default_branch, :name, to: :project, prefix: true, allow_nil: true

--- a/ee/lib/ee/api/internal/kubernetes.rb
+++ b/ee/lib/ee/api/internal/kubernetes.rb
@@ -120,6 +120,7 @@ module EE

                  if result.success?
                    status result.http_status
+                    { uuid: result.payload[:vulnerability].finding_uuid }
                  else
                    render_api_error!(result.message, result.http_status)
                  end

--- a/ee/spec/requests/api/internal/kubernetes_spec.rb
+++ b/ee/spec/requests/api/internal/kubernetes_spec.rb
@@ -276,6 +276,12 @@ RSpec.describe API::Internal::Kubernetes do
        expect(Vulnerability.all.first.finding.name).to eq(payload[:vulnerability][:name])
      end

+      it "responds with the created vulnerability's UUID" do
+        send_request(params: payload)
+
+        expect(json_response).to match("uuid" => Vulnerability.last.finding.uuid)
+      end
+
      context 'when payload is invalid' do
        let(:payload) { { vulnerability: 'invalid' } }