Integrate frontend with GraphQL APIs for Vulnerability reports OWASP 2021 grouping

Release Notes

Group by OWASP 2021 is now available in the vulnerability report. Note: gitlab.com and dedicated instances only.

Why are we doing this work

OWASP 2021 was fully built in the UI, but could not be enabled due to database constraints. The work exists behind a feature flag vulnerability_report_owasp_2021

frontend issue to integrate new GraphQL queries that are backed by Elasticsearch.

This issue specifically tracks adding Group by OWASP 2021

Relevant links

This is 2 of 2 parts of the MVC Scope to enable Elasticsearch for Vulnerability Records. The other is Integrate frontend with GraphQL APIs for Vulner... (#532716 - closed)

backend issue Vulnerabilities GraphQL API for OWASP 2021 usin... (#524127 - closed)

Functional requirements

1. For both Project, Group, Security Center (not supported for now) vulnerability reports.
2. Group by OWASP 2021 should be additionally available when Elasticsearch is enabled on the instance (determined by a new ability).
3. A new GraphQL query field will be used for OWASP 2021 identifier filtering (owaspTop102021)

Non-functional requirements

• Documentation: Yes. Docs should be updated to include OWASP 2021 support.
  • MR: Addition of advanced vulnerability management f... (!190875 - merged)
• Feature flag: Yes. This should remain behind the existing feature flag added in Place Group by OWASP 2021 item behind a feature... (#438788 - closed)
• Performance:
• Testing: Yes. Need to verify E2E tests pass following each MR. https://handbook.gitlab.com/handbook/engineering/development/sec/security-risk-management/security-insights/#quality

Outstanding Questions

1. Does scope include the Security Center page?
   1. No - security center is out of scope per #532703 (comment 2505719460)

Implementation plan

1. For Project and Group vulnerability reports
2. Extend the work done in Place Group by OWASP 2021 item behind a feature... (#438788 - closed)
   1. Additionally check for the ES ability accessAdvancedVulnerabilityManagement added in #536248 (closed).
      1. Both feature flag and ability need to be enabled for OWASP 2021 to be available in the UI.
   2. Use @client directive (this may not be needed as it's behind a frontend feature flag)
3. For both vulnerabilitySeveritiesCount and [scope]Vulnerabilities
   1. Use owasp_top_10_2021 instead of owasp_top_10 when grouping by OWASP 2021

Verification steps

1. For both Project and Group vulnerability reports.
2. Follow steps at !188597 (merged) to get Elasticsearch set up locally.
3. Both features need to be enabled
   1. Toggle Feature.enable(:advanced_vulnerability_management) to test between Postgres and ES data source availability.
   2. Toggle Feature.enable(:vulnerability_report_owasp_2021) to enable Group by OWASP 2021
4. Inspect the 3 GraphQL queries using the browser network tab
   1. Locations
      1. Severity Counts - Top Bar - this shows total counts for the main filters
      2. Severity Counts - OWASP groups below search bar VulnerabilitySeveritiesCount GraphQL API for id... (#534633 - closed)
         1. The "Non-OWASP Top 10" group at the bottom should have counts for the remaining vulnerabilities not tracked with Top 10 IDs.
      3. Vulnerability List - when a group is expanded - Vulnerabilities GraphQL API for identifier name... (#532695 - closed)
   2. Queries should use owaspTopTen2021 field when Group by: OWASP 2021 (this field triggers use of ES for the query)
   3. Queries should use owaspTopTen field when Group by: OWASP 2017