Add VulnerabilityScanner to be queried as single GraphQL type

This change extends VulnerabilityScanner with new vendor field and
allows user to query for VulnerabilityScanners used in detected
Vulnerabilities.

doc/api/graphql/reference/gitlab_schema.graphql

@@ -5393,6 +5393,31 @@ type Group {
     startDate: ISO8601Date!
   ): VulnerabilitiesCountByDayAndSeverityConnection
 
+  """
+  Vulnerability scanners reported on the project vulnerabilties of the group and its subgroups
+  """
+  vulnerabilityScanners(
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
+    after: String
+
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
+    before: String
+
+    """
+    Returns the first _n_ elements from the list.
+    """
+    first: Int
+
+    """
+    Returns the last _n_ elements from the list.
+    """
+    last: Int
+  ): VulnerabilityScannerConnection
+
   """
   Web URL of the group
   """
@@ -5520,6 +5545,31 @@ type InstanceSecurityDashboard {
     """
     last: Int
   ): ProjectConnection!
+
+  """
+  Vulnerability scanners reported on the vulnerabilties from projects selected in Instance Security Dashboard
+  """
+  vulnerabilityScanners(
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
+    after: String
+
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
+    before: String
+
+    """
+    Returns the first _n_ elements from the list.
+    """
+    first: Int
+
+    """
+    Returns the last _n_ elements from the list.
+    """
+    last: Int
+  ): VulnerabilityScannerConnection
 }
 
 """
@@ -9771,6 +9821,31 @@ type Project {
     state: [VulnerabilityState!]
   ): VulnerabilityConnection
 
+  """
+  Vulnerability scanners reported on the project vulnerabilties
+  """
+  vulnerabilityScanners(
+    """
+    Returns the elements in the list that come after the specified cursor.
+    """
+    after: String
+
+    """
+    Returns the elements in the list that come before the specified cursor.
+    """
+    before: String
+
+    """
+    Returns the first _n_ elements from the list.
+    """
+    first: Int
+
+    """
+    Returns the last _n_ elements from the list.
+    """
+    last: Int
+  ): VulnerabilityScannerConnection
+
   """
   Counts for each severity of vulnerability of the project
   """
@@ -14363,6 +14438,51 @@ type VulnerabilityScanner {
   Name of the vulnerability scanner
   """
   name: String
+
+  """
+  Type of the vulnerability report
+  """
+  reportType: VulnerabilityReportType
+
+  """
+  Vendor of the vulnerability scanner
+  """
+  vendor: String
+}
+
+"""
+The connection type for VulnerabilityScanner.
+"""
+type VulnerabilityScannerConnection {
+  """
+  A list of edges.
+  """
+  edges: [VulnerabilityScannerEdge]
+
+  """
+  A list of nodes.
+  """
+  nodes: [VulnerabilityScanner]
+
+  """
+  Information to aid in pagination.
+  """
+  pageInfo: PageInfo!
+}
+
+"""
+An edge in a connection.
+"""
+type VulnerabilityScannerEdge {
+  """
+  A cursor for use in pagination.
+  """
+  cursor: String!
+
+  """
+  The item at the end of the edge.
+  """
+  node: VulnerabilityScanner
 }
 
 """

doc/api/graphql/reference/index.md

@@ -2209,6 +2209,8 @@ Represents a vulnerability scanner.
 | ---   |  ---- | ----------  |
 | `externalId` | String | External ID of the vulnerability scanner |
 | `name` | String | Name of the vulnerability scanner |
+| `reportType` | VulnerabilityReportType | Type of the vulnerability report |
+| `vendor` | String | Vendor of the vulnerability scanner |
 
 ## VulnerabilitySeveritiesCount
 

ee/app/graphql/ee/types/group_type.rb

@@ -36,6 +36,12 @@ module EE
               description: 'Vulnerabilities reported on the projects in the group and its subgroups',
               resolver: ::Resolvers::VulnerabilitiesResolver
 
+        field :vulnerability_scanners,
+              ::Types::VulnerabilityScannerType.connection_type,
+              null: true,
+              description: 'Vulnerability scanners reported on the project vulnerabilties of the group and its subgroups',
+              resolver: ::Resolvers::Vulnerabilities::ScannersResolver
+
         field :vulnerabilities_count_by_day_and_severity,
               ::Types::VulnerabilitiesCountByDayAndSeverityType.connection_type,
               null: true,

ee/app/graphql/ee/types/project_type.rb

@@ -18,6 +18,12 @@ module EE
               description: 'Vulnerabilities reported on the project',
               resolver: ::Resolvers::VulnerabilitiesResolver
 
+        field :vulnerability_scanners,
+              ::Types::VulnerabilityScannerType.connection_type,
+              null: true,
+              description: 'Vulnerability scanners reported on the project vulnerabilties',
+              resolver: ::Resolvers::Vulnerabilities::ScannersResolver
+
         field :vulnerability_severities_count, ::Types::VulnerabilitySeveritiesCountType, null: true,
                description: 'Counts for each severity of vulnerability of the project',
                resolve: -> (obj, _args, ctx) do

ee/app/graphql/representation/vulnerability_scanner_entry.rb

+# frozen_string_literal: true
+
+module Representation
+  class VulnerabilityScannerEntry < SimpleDelegator
+    def initialize(raw_entry, report_type = raw_entry[:report_type])
+      @report_type = report_type
+
+      super(raw_entry)
+    end
+
+    attr_reader :raw_entry
+
+    def report_type
+      ::Vulnerabilities::Occurrence::REPORT_TYPES.key(@report_type) || @report_type
+    end
+
+    def ==(other)
+      self.class === other && id == other.id && report_type == other.report_type
+    end
+
+    def self.declarative_policy_class
+      'Vulnerabilities::ScannerPolicy'
+    end
+  end
+end

ee/app/graphql/resolvers/vulnerabilities/scanners_resolver.rb

+# frozen_string_literal: true
+
+module Resolvers
+  module Vulnerabilities
+    class ScannersResolver < VulnerabilitiesBaseResolver
+      type Types::VulnerabilityScannerType, null: true
+
+      def resolve(**args)
+        return ::Vulnerabilities::Scanner.none unless vulnerable
+
+        vulnerable
+          .vulnerability_scanners
+          .with_report_type
+          .map(&Representation::VulnerabilityScannerEntry.method(:new))
+      end
+    end
+  end
+end

ee/app/graphql/resolvers/vulnerabilities_resolver.rb

@@ -29,7 +29,7 @@ module Resolvers
     def resolve(**args)
       return Vulnerability.none unless vulnerable
 
-      vulnerabilities(args).with_findings.ordered
+      vulnerabilities(args).with_findings_and_scanner.ordered
     end
 
     private

ee/app/graphql/types/instance_security_dashboard_type.rb

@@ -11,5 +11,11 @@ module Types
           null: false,
           authorize: :read_project,
           description: 'Projects selected in Instance Security Dashboard'
+
+    field :vulnerability_scanners,
+          ::Types::VulnerabilityScannerType.connection_type,
+          null: true,
+          description: 'Vulnerability scanners reported on the vulnerabilties from projects selected in Instance Security Dashboard',
+          resolver: ::Resolvers::Vulnerabilities::ScannersResolver
   end
 end

ee/app/graphql/types/vulnerability_scanner_type.rb

 # frozen_string_literal: true
 
 module Types
-  # rubocop: disable Graphql/AuthorizeTypes
   class VulnerabilityScannerType < BaseObject
     graphql_name 'VulnerabilityScanner'
     description 'Represents a vulnerability scanner.'
 
+    authorize :read_vulnerability_scanner
+
     field :name, GraphQL::STRING_TYPE, null: true,
           description: 'Name of the vulnerability scanner'
 
     field :external_id, GraphQL::STRING_TYPE, null: true,
           description: 'External ID of the vulnerability scanner'
+
+    field :vendor, GraphQL::STRING_TYPE, null: true,
+          description: 'Vendor of the vulnerability scanner'
+
+    field :report_type, VulnerabilityReportTypeEnum, null: true,
+          description: 'Type of the vulnerability report'
   end
-  # rubocop: enable Graphql/AuthorizeTypes
 end

ee/app/graphql/types/vulnerability_type.rb

@@ -44,7 +44,9 @@ module Types
 
     field :scanner, VulnerabilityScannerType, null: true,
           description: 'Scanner metadata for the vulnerability.',
-          resolve: -> (obj, _args, _ctx) { obj.finding&.scanner }
+          resolve: -> (obj, _args, _ctx) do
+            Representation::VulnerabilityScannerEntry.new(obj.finding&.scanner, obj.report_type)
+          end
 
     field :primary_identifier, VulnerabilityIdentifierType, null: true,
           description: 'Primary identifier of the vulnerability.',

ee/app/models/ee/group.rb

@@ -335,6 +335,12 @@ module EE
       )
     end
 
+    def vulnerability_scanners
+      ::Vulnerabilities::Scanner.where(
+        project: ::Project.for_group_and_its_subgroups(self).non_archived.without_deleted
+      )
+    end
+
     def max_personal_access_token_lifetime_from_now
       if max_personal_access_token_lifetime.present?
         max_personal_access_token_lifetime.days.from_now

ee/app/models/instance_security_dashboard.rb

@@ -32,6 +32,12 @@ class InstanceSecurityDashboard
     Vulnerability.for_projects(projects)
   end
 
+  def vulnerability_scanners
+    return Vulnerabilities::Scanner.none if projects.empty?
+
+    Vulnerabilities::Scanner.for_projects(projects)
+  end
+
   private
 
   attr_reader :project_ids, :user

ee/app/models/vulnerabilities/scanner.rb

@@ -14,5 +14,12 @@ module Vulnerabilities
     validates :vendor, length: { maximum: 255, allow_nil: false }
 
     scope :with_external_id, -> (external_ids) { where(external_id: external_ids) }
+
+    scope :for_projects, -> (project_ids) { where(project_id: project_ids) }
+    scope :with_report_type, -> do
+      joins(:occurrences)
+        .select('DISTINCT ON ("vulnerability_scanners"."external_id", "vulnerability_occurrences"."report_type") "vulnerability_scanners".*, "vulnerability_occurrences"."report_type" AS "report_type"')
+        .order('"vulnerability_scanners"."external_id" ASC, "vulnerability_occurrences"."report_type" ASC')
+    end
   end
 end

ee/app/policies/ee/project_policy.rb

@@ -257,7 +257,10 @@ module EE
 
       rule { can?(:read_project) & iterations_available }.enable :read_iteration
 
-      rule { security_dashboard_enabled & can?(:developer_access) }.enable :read_vulnerability
+      rule { security_dashboard_enabled & can?(:developer_access) }.policy do
+        enable :read_vulnerability
+        enable :read_vulnerability_scanner
+      end
 
       rule { on_demand_scans_enabled & can?(:developer_access) }.enable :read_on_demand_scans
 
@@ -323,6 +326,7 @@ module EE
 
       rule { auditor & security_dashboard_enabled }.policy do
         enable :read_vulnerability
+        enable :read_vulnerability_scanner
       end
 
       rule { auditor & ~developer }.policy do

ee/app/policies/vulnerabilities/scanner_policy.rb

+# frozen_string_literal: true
+
+module Vulnerabilities
+  class ScannerPolicy < BasePolicy
+    delegate { @subject.project }
+  end
+end

ee/changelogs/unreleased/210327-add-scanner-vendor-graphql-type.yml

+---
+title: Add vulnerability scanner query to GraphQL API
+merge_request: 35109
+author:
+type: added

ee/spec/graphql/ee/types/group_type_spec.rb

@@ -13,6 +13,7 @@ RSpec.describe GitlabSchema.types['Group'] do
   it { expect(described_class).to have_graphql_field(:groupTimelogsEnabled) }
   it { expect(described_class).to have_graphql_field(:timelogs, complexity: 5) }
   it { expect(described_class).to have_graphql_field(:vulnerabilities) }
+  it { expect(described_class).to have_graphql_field(:vulnerability_scanners) }
   it { expect(described_class).to have_graphql_field(:vulnerabilities_count_by_day_and_severity) }
 
   describe 'timelogs field' do

ee/spec/graphql/representation/vulnerability_scanner_entry_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Representation::VulnerabilityScannerEntry do
+  let(:project) { create(:project) }
+  let(:vulnerability_scanner) { create(:vulnerabilities_scanner, project: project) }
+
+  describe '.declarative_policy_class' do
+    subject { described_class.declarative_policy_class }
+
+    it { is_expected.to eq('Vulnerabilities::ScannerPolicy') }
+  end
+end

ee/spec/graphql/resolvers/vulnerabilities/scanners_resolver_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Resolvers::Vulnerabilities::ScannersResolver do
+  include GraphqlHelpers
+
+  describe '#resolve' do
+    subject { resolve(described_class, obj: vulnerable, args: {}, ctx: { current_user: current_user }) }
+
+    let_it_be(:group) { create(:group) }
+    let_it_be(:project) { create(:project, group: group) }
+    let_it_be(:project_with_no_group) { create(:project) }
+
+    let_it_be(:user) { create(:user, security_dashboard_projects: [project_with_no_group]) }
+
+    let_it_be(:vulnerability_scanner_1) { create(:vulnerabilities_scanner, project: project) }
+    let_it_be(:finding_1) { create(:vulnerabilities_occurrence, project: project, scanner: vulnerability_scanner_1) }
+
+    let_it_be(:vulnerability_scanner_2) { create(:vulnerabilities_scanner, project: project_with_no_group) }
+    let_it_be(:finding_2) { create(:vulnerabilities_occurrence, project: project_with_no_group, scanner: vulnerability_scanner_2) }
+
+    let(:current_user) { user }
+
+    let(:vulnerable) { nil }
+
+    context 'when listing scanners for group' do
+      let(:vulnerable) { group }
+
+      it { is_expected.to contain_exactly(Representation::VulnerabilityScannerEntry.new(vulnerability_scanner_1, finding_1.report_type)) }
+    end
+
+    context 'when listing scanners for project' do
+      let(:vulnerable) { project_with_no_group }
+
+      it { is_expected.to contain_exactly(Representation::VulnerabilityScannerEntry.new(vulnerability_scanner_2, finding_2.report_type)) }
+    end
+
+    context 'when listing scanners for instance dashboard' do
+      let(:vulnerable) { nil }
+
+      before do
+        project_with_no_group.add_developer(current_user)
+      end
+
+      it { is_expected.to contain_exactly(Representation::VulnerabilityScannerEntry.new(vulnerability_scanner_2, finding_2.report_type)) }
+    end
+  end
+end

ee/spec/graphql/types/instance_security_dashboard_type_spec.rb

@@ -8,7 +8,7 @@ RSpec.describe GitlabSchema.types['InstanceSecurityDashboard'] do
   let_it_be(:user) { create(:user, security_dashboard_projects: [project]) }
 
   let(:fields) do
-    %i[projects]
+    %i[projects vulnerability_scanners]
   end
 
   before do

ee/spec/graphql/types/project_type_spec.rb

@@ -15,7 +15,7 @@ RSpec.describe GitlabSchema.types['Project'] do
 
   it 'includes the ee specific fields' do
     expected_fields = %w[
-      service_desk_enabled service_desk_address vulnerabilities
+      service_desk_enabled service_desk_address vulnerabilities vulnerability_scanners
       requirement_states_count vulnerability_severities_count packages
       compliance_frameworks
     ]

ee/spec/graphql/types/vulnerability_scanner_type_spec.rb

@@ -3,5 +3,21 @@
 require 'spec_helper'
 
 RSpec.describe GitlabSchema.types['VulnerabilityScanner'] do
-  it { expect(described_class).to have_graphql_fields(:name, :external_id) }
+  let_it_be(:project) { create(:project) }
+  let_it_be(:user) { create(:user) }
+
+  let(:fields) do
+    %i[name external_id vendor report_type]
+  end
+
+  before do
+    stub_licensed_features(security_dashboard: true)
+
+    project.add_developer(user)
+  end
+
+  subject { GitlabSchema.execute(query, context: { current_user: user }).as_json }
+
+  it { expect(described_class).to have_graphql_fields(fields) }
+  it { expect(described_class).to require_graphql_authorizations(:read_vulnerability_scanner) }
 end

ee/spec/models/group_spec.rb

@@ -316,6 +316,24 @@ RSpec.describe Group do
     end
   end
 
+  describe '#vulnerability_scanners' do
+    subject { group.vulnerability_scanners }
+
+    let(:subgroup) { create(:group, parent: group) }
+    let(:group_project) { create(:project, namespace: group) }
+    let(:subgroup_project) { create(:project, namespace: subgroup) }
+    let(:archived_project) { create(:project, :archived, namespace: group) }
+    let(:deleted_project) { create(:project, pending_delete: true, namespace: group) }
+    let!(:group_vulnerability_scanner) { create(:vulnerabilities_scanner, project: group_project) }
+    let!(:subgroup_vulnerability_scanner) { create(:vulnerabilities_scanner, project: subgroup_project) }
+    let!(:archived_vulnerability_scanner) { create(:vulnerabilities_scanner, project: archived_project) }
+    let!(:deleted_vulnerability_scanner) { create(:vulnerabilities_scanner, project: deleted_project) }
+
+    it 'returns vulnerability scanners for all non-archived, non-deleted projects in the group and its subgroups' do
+      is_expected.to contain_exactly(group_vulnerability_scanner, subgroup_vulnerability_scanner)
+    end
+  end
+
   describe '#mark_ldap_sync_as_failed' do
     it 'sets the state to failed' do
       group.start_ldap_sync

ee/spec/models/instance_security_dashboard_spec.rb

@@ -116,6 +116,25 @@ RSpec.describe InstanceSecurityDashboard do
     end
   end
 
+  describe '#vulnerability_scanners' do
+    let_it_be(:vulnerability_scanner1) { create(:vulnerabilities_scanner, project: project1) }
+    let_it_be(:vulnerability_scanner2) { create(:vulnerabilities_scanner, project: project2) }
+
+    context 'when the user cannot read all resources' do
+      it 'returns only vulnerability scanners from projects on their dashboard that they can read' do
+        expect(subject.vulnerability_scanners).to contain_exactly(vulnerability_scanner1)
+      end
+    end
+
+    context 'when the user can read all resources' do
+      let(:user) { create(:auditor) }
+
+      it "returns vulnerability scanners from all projects on the user's dashboard" do
+        expect(subject.vulnerability_scanners).to contain_exactly(vulnerability_scanner1, vulnerability_scanner2)
+      end
+    end
+  end
+
   describe '#full_path' do
     let(:user) { create(:user) }
 

ee/spec/models/project_spec.rb

@@ -33,6 +33,7 @@ RSpec.describe Project do
     it { is_expected.to have_many(:path_locks) }
     it { is_expected.to have_many(:vulnerability_feedback) }
     it { is_expected.to have_many(:vulnerability_exports) }
+    it { is_expected.to have_many(:vulnerability_scanners) }
     it { is_expected.to have_many(:audit_events).dependent(false) }
     it { is_expected.to have_many(:protected_environments) }
     it { is_expected.to have_many(:approvers).dependent(:destroy) }

ee/spec/policies/project_policy_spec.rb

@@ -37,7 +37,7 @@ RSpec.describe ProjectPolicy do
     let(:additional_developer_permissions) do
       %i[
         admin_vulnerability_feedback read_project_security_dashboard read_feature_flag
-        read_vulnerability create_vulnerability create_vulnerability_export admin_vulnerability
+        read_vulnerability read_vulnerability_scanner create_vulnerability create_vulnerability_export admin_vulnerability
         admin_vulnerability_issue_link read_merge_train
       ]
     end
@@ -53,7 +53,7 @@ RSpec.describe ProjectPolicy do
         read_pipeline read_build read_commit_status read_container_image
         read_environment read_deployment read_merge_request read_pages
         create_merge_request_in award_emoji
-        read_project_security_dashboard read_vulnerability
+        read_project_security_dashboard read_vulnerability read_vulnerability_scanner
         read_software_license_policy
         read_threat_monitoring read_merge_train
       ]

ee/spec/policies/vulnerabilities/scanner_policy_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Vulnerabilities::ScannerPolicy do
+  describe 'read_vulnerability_scanner' do
+    let(:project) { create(:project) }
+    let(:user) { create(:user) }
+    let(:vulnerability_scanner) { create(:vulnerabilities_scanner, project: project) }
+
+    subject { described_class.new(user, vulnerability_scanner) }
+
+    context 'when the security_dashboard feature is enabled' do
+      before do
+        stub_licensed_features(security_dashboard: true)
+      end
+
+      context "when the current user has developer access to the vulnerability's project" do
+        before do
+          project.add_developer(user)
+        end
+
+        it { is_expected.to be_allowed(:read_vulnerability_scanner) }
+      end
+
+      context "when the current user does not have developer access to the vulnerability's project" do
+        it { is_expected.to be_disallowed(:read_vulnerability_scanner) }
+      end
+    end
+
+    context 'when the security_dashboard feature is disabled' do
+      before do
+        stub_licensed_features(security_dashboard: false)
+
+        project.add_developer(user)
+      end
+
+      it { is_expected.to be_disallowed(:read_vulnerability_scanner) }
+    end
+  end
+end