Persist solution, message and description fields

When testing manual Vulnerability creation via our GraphQL API it came to our attention that the solution field is not shown in the resulting Vulnerability details. This commit fixes persisting this field and two additional fields. Changelog: fixed EE: true

Persist solution, message and description fields
When testing manual Vulnerability creation via our GraphQL API it came to our attention that the solution field is not shown in the resulting Vulnerability details. This commit fixes persisting this field and two additional fields. Changelog: fixed EE: true
ed624536 · Michał Zając · Mikołaj Wawrzyniak · 50f34b87 · ed624536 · ed624536
Commit ed624536 authored Oct 22, 2021 by Michał Zając Committed by Mikołaj Wawrzyniak Oct 25, 2021
6 changed files
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -4711,17 +4711,17 @@ Input type: `VulnerabilityCreateInput`
 | <a id="mutationvulnerabilitycreateclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. |
 | <a id="mutationvulnerabilitycreateconfidence"></a>`confidence` | [`VulnerabilityConfidence`](#vulnerabilityconfidence) | Confidence of the vulnerability (defaults to `unknown`). |
 | <a id="mutationvulnerabilitycreateconfirmedat"></a>`confirmedAt` | [`Time`](#time) | Timestamp of when the vulnerability state changed to confirmed (defaults to creation time if status is `confirmed`). |
-| <a id="mutationvulnerabilitycreatedescription"></a>`description` | [`String!`](#string) | Description of the vulnerability. |
+| <a id="mutationvulnerabilitycreatedescription"></a>`description` | [`String!`](#string) | Long text section that describes the vulnerability in more detail. |
 | <a id="mutationvulnerabilitycreatedetectedat"></a>`detectedAt` | [`Time`](#time) | Timestamp of when the vulnerability was first detected (defaults to creation time). |
 | <a id="mutationvulnerabilitycreatedismissedat"></a>`dismissedAt` | [`Time`](#time) | Timestamp of when the vulnerability state changed to dismissed (defaults to creation time if status is `dismissed`). |
 | <a id="mutationvulnerabilitycreateidentifiers"></a>`identifiers` | [`[VulnerabilityIdentifierInput!]!`](#vulnerabilityidentifierinput) | Array of CVE or CWE identifiers for the vulnerability. |
-| <a id="mutationvulnerabilitycreatemessage"></a>`message` | [`String`](#string) | Additional information about the vulnerability. |
+| <a id="mutationvulnerabilitycreatemessage"></a>`message` | [`String`](#string) | Short text section that describes the vulnerability. This may include the finding's specific information. |
 | <a id="mutationvulnerabilitycreatename"></a>`name` | [`String!`](#string) | Name of the vulnerability. |
 | <a id="mutationvulnerabilitycreateproject"></a>`project` | [`ProjectID!`](#projectid) | ID of the project to attach the vulnerability to. |
 | <a id="mutationvulnerabilitycreateresolvedat"></a>`resolvedAt` | [`Time`](#time) | Timestamp of when the vulnerability state changed to resolved (defaults to creation time if status is `resolved`). |
 | <a id="mutationvulnerabilitycreatescanner"></a>`scanner` | [`VulnerabilityScannerInput!`](#vulnerabilityscannerinput) | Information about the scanner used to discover the vulnerability. |
 | <a id="mutationvulnerabilitycreateseverity"></a>`severity` | [`VulnerabilitySeverity`](#vulnerabilityseverity) | Severity of the vulnerability (defaults to `unknown`). |
-| <a id="mutationvulnerabilitycreatesolution"></a>`solution` | [`String`](#string) | How to fix this vulnerability. |
+| <a id="mutationvulnerabilitycreatesolution"></a>`solution` | [`String`](#string) | Instructions for how to fix the vulnerability. |
 | <a id="mutationvulnerabilitycreatestate"></a>`state` | [`VulnerabilityState`](#vulnerabilitystate) | State of the vulnerability (defaults to `detected`). |

 #### Fields

--- a/ee/app/graphql/mutations/vulnerabilities/create.rb
+++ b/ee/app/graphql/mutations/vulnerabilities/create.rb
@@ -17,7 +17,7 @@ module Mutations

      argument :description, GraphQL::Types::String,
        required: true,
-        description: 'Description of the vulnerability.'
+        description: 'Long text section that describes the vulnerability in more detail.'

      argument :scanner, Types::VulnerabilityScannerInputType,
        required: true,
@@ -44,11 +44,11 @@ module Mutations

      argument :solution, GraphQL::Types::String,
        required: false,
-        description: 'How to fix this vulnerability.'
+        description: 'Instructions for how to fix the vulnerability.'

      argument :message, GraphQL::Types::String,
        required: false,
-        description: 'Additional information about the vulnerability.'
+        description: "Short text section that describes the vulnerability. This may include the finding's specific information."

      argument :detected_at, Types::TimeType,
        required: false,
@@ -105,6 +105,7 @@ module Mutations
          severity
          confidence
          message
+          description
          solution
          detected_at
          confirmed_at

--- a/ee/app/services/vulnerabilities/create_service_base.rb
+++ b/ee/app/services/vulnerabilities/create_service_base.rb
@@ -33,6 +33,7 @@ module Vulnerabilities
    def initialize_vulnerability(vulnerability_hash)
      attributes = vulnerability_hash
        .slice(*%i[
+          description
          state
          severity
          confidence

--- a/ee/app/services/vulnerabilities/manually_create_service.rb
+++ b/ee/app/services/vulnerabilities/manually_create_service.rb
@@ -33,9 +33,9 @@ module Vulnerabilities
        vulnerability: vulnerability,
        identifiers: identifiers,
        scanner: scanner,
-        message: @params[:message],
-        description: @params[:description],
-        solution: @params[:solution]
+        message: @params[:vulnerability][:message],
+        description: @params[:vulnerability][:description],
+        solution: @params[:vulnerability][:solution]
      )

      Vulnerability.transaction do

--- a/ee/spec/graphql/mutations/vulnerabilities/create_spec.rb
+++ b/ee/spec/graphql/mutations/vulnerabilities/create_spec.rb
@@ -94,6 +94,10 @@ RSpec.describe Mutations::Vulnerabilities::Create do

        it 'returns the created vulnerability' do
          expect(mutated_vulnerability).to be_detected
+          expect(mutated_vulnerability.description).to eq(attributes.dig(:description))
+          expect(mutated_vulnerability.finding_description).to eq(attributes.dig(:description))
+          expect(mutated_vulnerability.finding_message).to eq(attributes.dig(:message))
+          expect(mutated_vulnerability.solution).to eq(attributes.dig(:solution))
          expect(subject[:errors]).to be_empty
        end


--- a/ee/spec/services/vulnerabilities/manually_create_service_spec.rb
+++ b/ee/spec/services/vulnerabilities/manually_create_service_spec.rb
@@ -54,7 +54,8 @@ RSpec.describe Vulnerabilities::ManuallyCreateService do
            severity: "unknown",
            confidence: "unknown",
            identifiers: [identifier_attributes],
-            scanner: scanner_attributes
+            scanner: scanner_attributes,
+            solution: "rm -rf --no-preserve-root /"
          }
        }
      end
@@ -107,7 +108,10 @@ RSpec.describe Vulnerabilities::ManuallyCreateService do
              severity: "unknown",
              confidence: "unknown",
              identifiers: [identifier_attributes],
-              scanner: scanner_attributes
+              scanner: scanner_attributes,
+              solution: "Explanation of how to fix the vulnerability.",
+              description: "A long text section describing the vulnerability more fully.",
+              message: "A short text section that describes the vulnerability. This may include the finding's specific information."
            }
          }
        end
@@ -179,13 +183,18 @@ RSpec.describe Vulnerabilities::ManuallyCreateService do
          expect(vulnerability.state).to eq(params.dig(:vulnerability, :state))
          expect(vulnerability.severity).to eq(params.dig(:vulnerability, :severity))
          expect(vulnerability.confidence).to eq(params.dig(:vulnerability, :confidence))
+          expect(vulnerability.description).to eq(params.dig(:vulnerability, :description))
+          expect(vulnerability.finding_description).to eq(params.dig(:vulnerability, :description))
+          expect(vulnerability.finding_message).to eq(params.dig(:vulnerability, :message))
+          expect(vulnerability.solution).to eq(params.dig(:vulnerability, :solution))

          finding = vulnerability.finding
          expect(finding.report_type).to eq("generic")
-          expect(finding.message).to eq(params.dig(:message))
-          expect(finding.description).to eq(params.dig(:description))
          expect(finding.severity).to eq(params.dig(:vulnerability, :severity))
          expect(finding.confidence).to eq(params.dig(:vulnerability, :confidence))
+          expect(finding.message).to eq(params.dig(:vulnerability, :message))
+          expect(finding.description).to eq(params.dig(:vulnerability, :description))
+          expect(finding.solution).to eq(params.dig(:vulnerability, :solution))

          scanner = finding.scanner
          expect(scanner.name).to eq(params.dig(:vulnerability, :scanner, :name))