Commit ed624536 authored by Michał Zając's avatar Michał Zając Committed by Mikołaj Wawrzyniak

Persist solution, message and description fields

When testing manual Vulnerability creation via our GraphQL API
it came to our attention that the solution field is not shown in
the resulting Vulnerability details.

This commit fixes persisting this field and two additional fields.

Changelog: fixed
EE: true
parent 50f34b87
......@@ -4711,17 +4711,17 @@ Input type: `VulnerabilityCreateInput`
| <a id="mutationvulnerabilitycreateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
| <a id="mutationvulnerabilitycreateconfidence"></a>`confidence` | [`VulnerabilityConfidence`](#vulnerabilityconfidence) | Confidence of the vulnerability (defaults to `unknown`). |
| <a id="mutationvulnerabilitycreateconfirmedat"></a>`confirmedAt` | [`Time`](#time) | Timestamp of when the vulnerability state changed to confirmed (defaults to creation time if status is `confirmed`). |
| <a id="mutationvulnerabilitycreatedescription"></a>`description` | [`String!`](#string) | Description of the vulnerability. |
| <a id="mutationvulnerabilitycreatedescription"></a>`description` | [`String!`](#string) | Long text section that describes the vulnerability in more detail. |
| <a id="mutationvulnerabilitycreatedetectedat"></a>`detectedAt` | [`Time`](#time) | Timestamp of when the vulnerability was first detected (defaults to creation time). |
| <a id="mutationvulnerabilitycreatedismissedat"></a>`dismissedAt` | [`Time`](#time) | Timestamp of when the vulnerability state changed to dismissed (defaults to creation time if status is `dismissed`). |
| <a id="mutationvulnerabilitycreateidentifiers"></a>`identifiers` | [`[VulnerabilityIdentifierInput!]!`](#vulnerabilityidentifierinput) | Array of CVE or CWE identifiers for the vulnerability. |
| <a id="mutationvulnerabilitycreatemessage"></a>`message` | [`String`](#string) | Additional information about the vulnerability. |
| <a id="mutationvulnerabilitycreatemessage"></a>`message` | [`String`](#string) | Short text section that describes the vulnerability. This may include the finding's specific information. |
| <a id="mutationvulnerabilitycreatename"></a>`name` | [`String!`](#string) | Name of the vulnerability. |
| <a id="mutationvulnerabilitycreateproject"></a>`project` | [`ProjectID!`](#projectid) | ID of the project to attach the vulnerability to. |
| <a id="mutationvulnerabilitycreateresolvedat"></a>`resolvedAt` | [`Time`](#time) | Timestamp of when the vulnerability state changed to resolved (defaults to creation time if status is `resolved`). |
| <a id="mutationvulnerabilitycreatescanner"></a>`scanner` | [`VulnerabilityScannerInput!`](#vulnerabilityscannerinput) | Information about the scanner used to discover the vulnerability. |
| <a id="mutationvulnerabilitycreateseverity"></a>`severity` | [`VulnerabilitySeverity`](#vulnerabilityseverity) | Severity of the vulnerability (defaults to `unknown`). |
| <a id="mutationvulnerabilitycreatesolution"></a>`solution` | [`String`](#string) | How to fix this vulnerability. |
| <a id="mutationvulnerabilitycreatesolution"></a>`solution` | [`String`](#string) | Instructions for how to fix the vulnerability. |
| <a id="mutationvulnerabilitycreatestate"></a>`state` | [`VulnerabilityState`](#vulnerabilitystate) | State of the vulnerability (defaults to `detected`). |
#### Fields
......
......@@ -17,7 +17,7 @@ module Mutations
argument :description, GraphQL::Types::String,
required: true,
description: 'Description of the vulnerability.'
description: 'Long text section that describes the vulnerability in more detail.'
argument :scanner, Types::VulnerabilityScannerInputType,
required: true,
......@@ -44,11 +44,11 @@ module Mutations
argument :solution, GraphQL::Types::String,
required: false,
description: 'How to fix this vulnerability.'
description: 'Instructions for how to fix the vulnerability.'
argument :message, GraphQL::Types::String,
required: false,
description: 'Additional information about the vulnerability.'
description: "Short text section that describes the vulnerability. This may include the finding's specific information."
argument :detected_at, Types::TimeType,
required: false,
......@@ -105,6 +105,7 @@ module Mutations
severity
confidence
message
description
solution
detected_at
confirmed_at
......
......@@ -33,6 +33,7 @@ module Vulnerabilities
def initialize_vulnerability(vulnerability_hash)
attributes = vulnerability_hash
.slice(*%i[
description
state
severity
confidence
......
......@@ -33,9 +33,9 @@ module Vulnerabilities
vulnerability: vulnerability,
identifiers: identifiers,
scanner: scanner,
message: @params[:message],
description: @params[:description],
solution: @params[:solution]
message: @params[:vulnerability][:message],
description: @params[:vulnerability][:description],
solution: @params[:vulnerability][:solution]
)
Vulnerability.transaction do
......
......@@ -94,6 +94,10 @@ RSpec.describe Mutations::Vulnerabilities::Create do
it 'returns the created vulnerability' do
expect(mutated_vulnerability).to be_detected
expect(mutated_vulnerability.description).to eq(attributes.dig(:description))
expect(mutated_vulnerability.finding_description).to eq(attributes.dig(:description))
expect(mutated_vulnerability.finding_message).to eq(attributes.dig(:message))
expect(mutated_vulnerability.solution).to eq(attributes.dig(:solution))
expect(subject[:errors]).to be_empty
end
......
......@@ -54,7 +54,8 @@ RSpec.describe Vulnerabilities::ManuallyCreateService do
severity: "unknown",
confidence: "unknown",
identifiers: [identifier_attributes],
scanner: scanner_attributes
scanner: scanner_attributes,
solution: "rm -rf --no-preserve-root /"
}
}
end
......@@ -107,7 +108,10 @@ RSpec.describe Vulnerabilities::ManuallyCreateService do
severity: "unknown",
confidence: "unknown",
identifiers: [identifier_attributes],
scanner: scanner_attributes
scanner: scanner_attributes,
solution: "Explanation of how to fix the vulnerability.",
description: "A long text section describing the vulnerability more fully.",
message: "A short text section that describes the vulnerability. This may include the finding's specific information."
}
}
end
......@@ -179,13 +183,18 @@ RSpec.describe Vulnerabilities::ManuallyCreateService do
expect(vulnerability.state).to eq(params.dig(:vulnerability, :state))
expect(vulnerability.severity).to eq(params.dig(:vulnerability, :severity))
expect(vulnerability.confidence).to eq(params.dig(:vulnerability, :confidence))
expect(vulnerability.description).to eq(params.dig(:vulnerability, :description))
expect(vulnerability.finding_description).to eq(params.dig(:vulnerability, :description))
expect(vulnerability.finding_message).to eq(params.dig(:vulnerability, :message))
expect(vulnerability.solution).to eq(params.dig(:vulnerability, :solution))
finding = vulnerability.finding
expect(finding.report_type).to eq("generic")
expect(finding.message).to eq(params.dig(:message))
expect(finding.description).to eq(params.dig(:description))
expect(finding.severity).to eq(params.dig(:vulnerability, :severity))
expect(finding.confidence).to eq(params.dig(:vulnerability, :confidence))
expect(finding.message).to eq(params.dig(:vulnerability, :message))
expect(finding.description).to eq(params.dig(:vulnerability, :description))
expect(finding.solution).to eq(params.dig(:vulnerability, :solution))
scanner = finding.scanner
expect(scanner.name).to eq(params.dig(:vulnerability, :scanner, :name))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment