Merge branch '411570-enable-vulnerabilityquery-filtering-by-dismissal-reason-2' into 'master'

Allow filtering Vulnerabilties by dismissal reason

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127652



Merged-by: Gregory Havenga <11164960-ghavenga@users.noreply.gitlab.com>
Approved-by: Gregorius Marco <gmarco@gitlab.com>
Approved-by: Gregory Havenga <11164960-ghavenga@users.noreply.gitlab.com>
Co-authored-by: Michał Zając <mzajac@gitlab.com>

db/post_migrate/20230731100513_add_index_on_vulnerability_reads_for_filtering.rb

+# frozen_string_literal: true
+
+class AddIndexOnVulnerabilityReadsForFiltering < Gitlab::Database::Migration[2.1]
+  disable_ddl_transaction!
+
+  INDEX_NAME = "idx_vuln_reads_for_filtering"
+
+  def up
+    add_concurrent_index(
+      :vulnerability_reads,
+      %i[project_id state dismissal_reason severity vulnerability_id],
+      order: { severity: :desc, vulnerability_id: "DESC NULLS LAST" },
+      name: INDEX_NAME
+    )
+  end
+
+  def down
+    remove_concurrent_index_by_name(
+      :vulnerability_reads,
+      INDEX_NAME
+    )
+  end
+end

db/schema_migrations/20230731100513

+a85f3b493021cc27079dc07fe0ba5f11eeeca9798cf6ccdc60f7f7f7eae049af
\ No newline at end of file

db/structure.sql

@@ -30191,6 +30191,8 @@ CREATE UNIQUE INDEX idx_uniq_analytics_dashboards_pointers_on_project_id ON anal
 CREATE INDEX idx_user_details_on_provisioned_by_group_id_user_id ON user_details USING btree (provisioned_by_group_id, user_id);
+CREATE INDEX idx_vuln_reads_for_filtering ON vulnerability_reads USING btree (project_id, state, dismissal_reason, severity DESC, vulnerability_id DESC NULLS LAST);
+
 CREATE UNIQUE INDEX idx_vuln_signatures_uniqueness_signature_sha ON vulnerability_finding_signatures USING btree (finding_id, algorithm_type, signature_sha);
 CREATE INDEX idx_vulnerabilities_on_project_id_and_id_active_cis_dft_branch ON vulnerabilities USING btree (project_id, id) WHERE ((report_type = 7) AND (state = ANY (ARRAY[1, 4])) AND (present_on_default_branch IS TRUE));

doc/api/graphql/reference/index.md

@@ -783,6 +783,7 @@ four standard [pagination arguments](#connection-pagination-arguments):
 | ---- | ---- | ----------- |
 | <a id="queryvulnerabilitiesclusteragentid"></a>`clusterAgentId` | [`[ClustersAgentID!]`](#clustersagentid) | Filter vulnerabilities by `cluster_agent_id`. Vulnerabilities with a `reportType` of `cluster_image_scanning` are only included with this filter. |
 | <a id="queryvulnerabilitiesclusterid"></a>`clusterId` | [`[ClustersClusterID!]`](#clustersclusterid) | Filter vulnerabilities by `cluster_id`. Vulnerabilities with a `reportType` of `cluster_image_scanning` are only included with this filter. |
+| <a id="queryvulnerabilitiesdismissalreason"></a>`dismissalReason` | [`[VulnerabilityDismissalReason!]`](#vulnerabilitydismissalreason) | Filter by dismissal reason. Only dismissed Vulnerabilities will be included with the filter. |
 | <a id="queryvulnerabilitieshasissues"></a>`hasIssues` | [`Boolean`](#boolean) | Returns only the vulnerabilities which have linked issues. |
 | <a id="queryvulnerabilitieshasresolution"></a>`hasResolution` | [`Boolean`](#boolean) | Returns only the vulnerabilities which have been resolved on default branch. |
 | <a id="queryvulnerabilitiesimage"></a>`image` | [`[String!]`](#string) | Filter vulnerabilities by location image. When this filter is present, the response only matches entries for a `reportType` that includes `container_scanning`, `cluster_image_scanning`. |
@@ -17249,6 +17250,7 @@ four standard [pagination arguments](#connection-pagination-arguments):
 | ---- | ---- | ----------- |
 | <a id="groupvulnerabilitiesclusteragentid"></a>`clusterAgentId` | [`[ClustersAgentID!]`](#clustersagentid) | Filter vulnerabilities by `cluster_agent_id`. Vulnerabilities with a `reportType` of `cluster_image_scanning` are only included with this filter. |
 | <a id="groupvulnerabilitiesclusterid"></a>`clusterId` | [`[ClustersClusterID!]`](#clustersclusterid) | Filter vulnerabilities by `cluster_id`. Vulnerabilities with a `reportType` of `cluster_image_scanning` are only included with this filter. |
+| <a id="groupvulnerabilitiesdismissalreason"></a>`dismissalReason` | [`[VulnerabilityDismissalReason!]`](#vulnerabilitydismissalreason) | Filter by dismissal reason. Only dismissed Vulnerabilities will be included with the filter. |
 | <a id="groupvulnerabilitieshasissues"></a>`hasIssues` | [`Boolean`](#boolean) | Returns only the vulnerabilities which have linked issues. |
 | <a id="groupvulnerabilitieshasresolution"></a>`hasResolution` | [`Boolean`](#boolean) | Returns only the vulnerabilities which have been resolved on default branch. |
 | <a id="groupvulnerabilitiesimage"></a>`image` | [`[String!]`](#string) | Filter vulnerabilities by location image. When this filter is present, the response only matches entries for a `reportType` that includes `container_scanning`, `cluster_image_scanning`. |
@@ -22068,6 +22070,7 @@ four standard [pagination arguments](#connection-pagination-arguments):
 | ---- | ---- | ----------- |
 | <a id="projectvulnerabilitiesclusteragentid"></a>`clusterAgentId` | [`[ClustersAgentID!]`](#clustersagentid) | Filter vulnerabilities by `cluster_agent_id`. Vulnerabilities with a `reportType` of `cluster_image_scanning` are only included with this filter. |
 | <a id="projectvulnerabilitiesclusterid"></a>`clusterId` | [`[ClustersClusterID!]`](#clustersclusterid) | Filter vulnerabilities by `cluster_id`. Vulnerabilities with a `reportType` of `cluster_image_scanning` are only included with this filter. |
+| <a id="projectvulnerabilitiesdismissalreason"></a>`dismissalReason` | [`[VulnerabilityDismissalReason!]`](#vulnerabilitydismissalreason) | Filter by dismissal reason. Only dismissed Vulnerabilities will be included with the filter. |
 | <a id="projectvulnerabilitieshasissues"></a>`hasIssues` | [`Boolean`](#boolean) | Returns only the vulnerabilities which have linked issues. |
 | <a id="projectvulnerabilitieshasresolution"></a>`hasResolution` | [`Boolean`](#boolean) | Returns only the vulnerabilities which have been resolved on default branch. |
 | <a id="projectvulnerabilitiesimage"></a>`image` | [`[String!]`](#string) | Filter vulnerabilities by location image. When this filter is present, the response only matches entries for a `reportType` that includes `container_scanning`, `cluster_image_scanning`. |

ee/app/finders/security/vulnerability_reads_finder.rb

@@ -42,6 +42,7 @@ def execute
       filter_by_resolution
       filter_by_issues
       filter_by_cluster_agent_id
+      filter_by_dismissal_reason
 
       sort
     end
@@ -123,6 +124,12 @@ def filter_by_cluster_agent_id
       @vulnerability_reads = vulnerability_reads.with_cluster_agent_ids(cluster_agent_ids_as_string)
     end
 
+    def filter_by_dismissal_reason
+      return unless params[:dismissal_reason].present?
+
+      @vulnerability_reads = vulnerability_reads.with_dismissal_reason(params[:dismissal_reason])
+    end
+
     def sort
       @vulnerability_reads.order_by(params[:sort])
     end

ee/app/graphql/resolvers/vulnerabilities_resolver.rb

@@ -62,6 +62,10 @@ class VulnerabilitiesResolver < VulnerabilitiesBaseResolver
              description: "Filter vulnerabilities by `cluster_agent_id`. Vulnerabilities with a `reportType` "\
                           "of `cluster_image_scanning` are only included with this filter."
 
+    argument :dismissal_reason, [Types::Vulnerabilities::DismissalReasonEnum],
+      required: false,
+      description: "Filter by dismissal reason. Only dismissed Vulnerabilities will be included with the filter."
+
     def resolve_with_lookahead(**args)
       return Vulnerability.none unless vulnerable
 

ee/app/models/vulnerabilities/read.rb

@@ -53,6 +53,7 @@ class Read < ApplicationRecord
     scope :with_scanner_external_ids, -> (scanner_external_ids) { joins(:scanner).merge(::Vulnerabilities::Scanner.with_external_id(scanner_external_ids)) }
     scope :with_findings_scanner_and_identifiers, -> { includes(vulnerability: { findings: [:scanner, :identifiers, finding_identifiers: :identifier] }) }
     scope :resolved_on_default_branch, -> { where('resolved_on_default_branch IS TRUE') }
+    scope :with_dismissal_reason, -> (dismissal_reason) { where(dismissal_reason: dismissal_reason) }
 
     scope :as_vulnerabilities, -> do
       preload(vulnerability: { project: [:route] }).current_scope.tap do |relation|

ee/spec/factories/vulnerabilities/read.rb

@@ -9,5 +9,6 @@
     severity { :high }
     state { :detected }
     uuid { SecureRandom.uuid }
+    traits_for_enum :dismissal_reason, Vulnerabilities::DismissalReasonEnum.values.keys
   end
 end

ee/spec/graphql/resolvers/vulnerabilities_resolver_spec.rb

@@ -211,6 +211,20 @@
       end
     end
 
+    context 'when dismissal reason is given' do
+      let(:params) { { dismissal_reason: %w[USED_IN_TESTS FALSE_POSITIVE] } }
+
+      let_it_be(:dismissed_vulnerability_1) { create(:vulnerability, :dismissed, project: project) }
+      let_it_be(:vulnerability_read_1) { create(:vulnerability_read, :used_in_tests, vulnerability: dismissed_vulnerability_1, project: project) }
+
+      let_it_be(:dismissed_vulnerability_2) { create(:vulnerability, :dismissed, project: project) }
+      let_it_be(:vulnerability_read_2) { create(:vulnerability_read, :false_positive, vulnerability: dismissed_vulnerability_2, project: project) }
+
+      it 'returns only dissmissed Vulnerabilities with matching dismissal reason' do
+        is_expected.to match_array([dismissed_vulnerability_1, dismissed_vulnerability_2])
+      end
+    end
+
     context 'when cluster_id is given' do
       let_it_be(:cluster_agent) { create(:cluster_agent, project: project) }
       let_it_be(:cluster_vulnerability) { create(:vulnerability, :cluster_image_scanning, project: project) }