As a part migrating the pipeline security dashboard to GraphQL we need to add several fields to the ` PipelineSecurityReportFinding` type. <details> <summary>Currently used fields when displaying vulnerability details (<code>ee/app/assets/javascripts/vulnerabilities/components/vulnerability_details.vue</code>):</summary> - `location` - `stacktraceSnippet` - `scanner` - `location` - `evidenceSource` - `supportingMessages` - `request` - `response` - `description` - `title` - `severity` - `evidence` - `links` - `identifiers` - `assets` - `uuid` </details> <details> <summary>Current `PipelineSecurityReportFinding` fields:</summary> - `confidence` - `description` - `identifiers` - `location` - `name` - `project` - `projectFingerprint` - `reportType` - `scanner` - `severity` - `solution` - `state` - `uuid` </details> Based on that the following fields are missing: - `stacktraceSnippet` - `evidenceSource` - `supportingMessages` - `request` - `response` - `title` - `evidence` - `links` - `assets` ## Related links - [Discussion in frontend issue](https://gitlab.com/gitlab-org/gitlab/-/issues/331403#note_619265614) ## Additional info https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/serializers/vulnerabilities/finding_entity.rb seems to contain all fields mentioned above. So this file can be used to double check the missing fields. **If possible, make sure to return the same structure as used in https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/helpers/vulnerabilities_helper.rb#L10. This will help us reuse the same logic we have for the vulnerability details page in the ~frontend.** ## Implementation Plan 1. Create the following new `GraphQL` types, which are based on the findings from [Technical Spike: Define GraphQL schema to support migration for Vulnerability Details](https://gitlab.com/gitlab-org/gitlab/-/issues/343312#findings): ```graphql type VulnerabilityEvidence { summary: String supportingMessages: [VulnerabilityEvidenceSupportingMessage] source: VulnerabilityEvidenceSource request: [VulnerabilityRequest!] response: [VulnerabilityResponse!] } type VulnerabilityEvidenceSupportingMessage { name: String! request: [VulnerabilityRequest] response: [VulnerabilityResponse] } type VulnerabilityEvidenceSource { id: String! name: String! url: String } type VulnerabilityRequestResponseHeader { name: String value: String } type VulnerabilityRequest { body: String method: String! url: String! headers: [VulnerabilityRequestResponseHeader!] } type VulnerabilityResponse { body: String statusCode: String! reasonPhrase: String! headers: [VulnerabilityRequestResponseHeader!] } type VulnerabilityAsset { type: String! name: String! url: String! } # Check ee/lib/ee/gitlab/ci/parsers/security/validators/schemas/coverage-fuzzing-report-format.json # for more details type VulnerabilityLocationCoverageFuzzing { crashType: String crashAddress: String stacktraceSnippet: String } ``` 1. Extend [`PipelineSecurityReportFindingType`](https://gitlab.com/gitlab-org/gitlab/blob/554b228c985/ee/app/graphql/types/pipeline_security_report_finding_type.rb#L5-5) to add the following fields, based on the new types added in step `1.`: ```graphql type SecurityReportFinding { assets: [VulnerabilityAsset] evidence: VulnerabilityEvidence title: String # alias for `name`, which will be deprecated stacktraceSnippet: VulnerabilityLocationCoverageFuzzing } ```