Merge branch 'sort-vulnerabilities-for-pipeline-dashboard' into 'master'

Sort vulnerabilities for pipeline dashboard

See merge request gitlab-org/gitlab!18863

changelogs/unreleased/sort-vulnerabilities-for-pipeline-dashboard.yml

+---
+title: Pipeline vulnerability dashboard sort vulnerabilities by severity then confidence
+merge_request: 18863
+author:
+type: fixed

ee/app/finders/security/pipeline_vulnerabilities_finder.rb

@@ -41,7 +41,7 @@ module Security
         occurrences.concat(filtered_occurrences)
       end
 
-      occurrences.sort_by { |x| [x.severity, x.confidence] }
+      occurrences.sort_by { |x| [-x.severity_value, -x.confidence_value] }
     end
 
     private

ee/app/models/vulnerabilities/occurrence.rb

@@ -221,6 +221,14 @@ module Vulnerabilities
       report_type.hash ^ location.hash ^ first_fingerprint.hash
     end
 
+    def severity_value
+      self.class.severities[self.severity]
+    end
+
+    def confidence_value
+      self.class.confidences[self.confidence]
+    end
+
     protected
 
     def first_fingerprint

ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb

@@ -54,15 +54,24 @@ describe Security::PipelineVulnerabilitiesFinder do
 
     context 'by order' do
       let(:params) { { report_type: %w[sast] } }
-      let!(:occurrence1) { build(:vulnerabilities_occurrence, confidence: Vulnerabilities::Occurrence::CONFIDENCE_LEVELS[:high],   severity: Vulnerabilities::Occurrence::SEVERITY_LEVELS[:high]) }
-      let!(:occurrence2) { build(:vulnerabilities_occurrence, confidence: Vulnerabilities::Occurrence::CONFIDENCE_LEVELS[:medium], severity: Vulnerabilities::Occurrence::SEVERITY_LEVELS[:critical]) }
-      let!(:occurrence3) { build(:vulnerabilities_occurrence, confidence: Vulnerabilities::Occurrence::CONFIDENCE_LEVELS[:high],   severity: Vulnerabilities::Occurrence::SEVERITY_LEVELS[:critical]) }
-      let!(:res) { [occurrence3, occurrence2, occurrence1] }
+      let!(:high_high) { build(:vulnerabilities_occurrence, confidence: :high, severity: :high) }
+      let!(:critical_medium) { build(:vulnerabilities_occurrence, confidence: :medium, severity: :critical) }
+      let!(:critical_high) { build(:vulnerabilities_occurrence, confidence: :high, severity: :critical) }
+      let!(:unknown_high) { build(:vulnerabilities_occurrence, confidence: :high, severity: :unknown) }
+      let!(:unknown_medium) { build(:vulnerabilities_occurrence, confidence: :medium, severity: :unknown) }
+      let!(:unknown_low) { build(:vulnerabilities_occurrence, confidence: :low, severity: :unknown) }
 
       it 'orders by severity and confidence' do
-        allow_any_instance_of(described_class).to receive(:filter).and_return(res)
-
-        expect(subject).to eq([occurrence3, occurrence2, occurrence1])
+        allow_any_instance_of(described_class).to receive(:filter).and_return([
+               unknown_low,
+               unknown_medium,
+               critical_high,
+               unknown_high,
+               critical_medium,
+               high_high
+        ])
+
+        expect(subject).to eq([critical_high, critical_medium, high_high, unknown_high, unknown_medium, unknown_low])
       end
     end
 

ee/spec/support/shared_examples/requests/api/vulnerabilities_shared_examples.rb

@@ -127,7 +127,7 @@ shared_examples 'getting list of vulnerability findings' do
 
         # occurrences are implicitly sorted by Security::MergeReportsService,
         # occurrences order differs from what is present in fixture file
-        expect(json_response.first['name']).to eq 'Consider possible security implications associated with Popen module.'
+        expect(json_response.first['name']).to eq 'ECB mode is insecure'
       end
 
       it 'returns vulnerabilities with dependency_scanning report_type' do