Merge branch '280593-corpus-management-configuration' into 'master'

Add Corpus management to security configuration page

See merge request gitlab-org/gitlab!69302

app/assets/javascripts/security_configuration/components/constants.js

@@ -10,6 +10,7 @@ import {
   REPORT_TYPE_CONTAINER_SCANNING,
   REPORT_TYPE_CLUSTER_IMAGE_SCANNING,
   REPORT_TYPE_COVERAGE_FUZZING,
+  REPORT_TYPE_CORPUS_MANAGEMENT,
   REPORT_TYPE_API_FUZZING,
   REPORT_TYPE_LICENSE_COMPLIANCE,
 } from '~/vue_shared/security_reports/constants';
@@ -104,6 +105,12 @@ export const COVERAGE_FUZZING_CONFIG_HELP_PATH = helpPagePath(
   { anchor: 'configuration' },
 );
 
+export const CORPUS_MANAGEMENT_NAME = __('Corpus Management');
+export const CORPUS_MANAGEMENT_DESCRIPTION = s__(
+  'SecurityConfiguration|Manage corpus files used as mutation sources in coverage fuzzing.',
+);
+export const CORPUS_MANAGEMENT_CONFIG_TEXT = s__('SecurityConfiguration|Manage corpus');
+
 export const API_FUZZING_NAME = __('API Fuzzing');
 export const API_FUZZING_DESCRIPTION = __('Find bugs in your code with API fuzzing.');
 export const API_FUZZING_HELP_PATH = helpPagePath('user/application_security/api_fuzzing/index');
@@ -202,6 +209,14 @@ export const securityFeatures = [
     helpPath: COVERAGE_FUZZING_HELP_PATH,
     configurationHelpPath: COVERAGE_FUZZING_CONFIG_HELP_PATH,
     type: REPORT_TYPE_COVERAGE_FUZZING,
+    secondary: gon?.features?.corpusManagement
+      ? {
+          type: REPORT_TYPE_CORPUS_MANAGEMENT,
+          name: CORPUS_MANAGEMENT_NAME,
+          description: CORPUS_MANAGEMENT_DESCRIPTION,
+          configurationText: CORPUS_MANAGEMENT_CONFIG_TEXT,
+        }
+      : {},
   },
 ];
 

app/assets/javascripts/vue_shared/security_reports/constants.js

@@ -24,6 +24,7 @@ export const REPORT_TYPE_DEPENDENCY_SCANNING = 'dependency_scanning';
 export const REPORT_TYPE_CONTAINER_SCANNING = 'container_scanning';
 export const REPORT_TYPE_CLUSTER_IMAGE_SCANNING = 'cluster_image_scanning';
 export const REPORT_TYPE_COVERAGE_FUZZING = 'coverage_fuzzing';
+export const REPORT_TYPE_CORPUS_MANAGEMENT = 'corpus_management';
 export const REPORT_TYPE_LICENSE_COMPLIANCE = 'license_scanning';
 export const REPORT_TYPE_API_FUZZING = 'api_fuzzing';
 

ee/app/controllers/ee/projects/security/configuration_controller.rb

@@ -14,6 +14,7 @@ module EE
 
           before_action only: [:show] do
             push_frontend_feature_flag(:security_auto_fix, project, default_enabled: false)
+            push_frontend_feature_flag(:corpus_management, project, default_enabled: :yaml)
           end
 
           before_action only: [:auto_fix] do

ee/app/presenters/projects/security/configuration_presenter.rb

@@ -61,7 +61,8 @@ module Projects
           scan(scan_type, configured: scanner_enabled?(scan_type))
         end
 
-        # DAST On-demand scans is a static (non job) entry.  Add it manually.
+        # These scans are "fake" (non job) entries. Add them manually.
+        scans << scan(:corpus_management, configured: true)
         scans << scan(:dast_profiles, configured: true)
       end
 
@@ -93,7 +94,8 @@ module Projects
           sast: project_security_configuration_sast_path(project),
           dast: project_security_configuration_dast_path(project),
           dast_profiles: project_security_configuration_dast_scans_path(project),
-          api_fuzzing: project_security_configuration_api_fuzzing_path(project)
+          api_fuzzing: project_security_configuration_api_fuzzing_path(project),
+          corpus_management: (project_security_configuration_corpus_management_path(project) if ::Feature.enabled?(:corpus_management, project, default_enabled: :yaml) && scanner_enabled?(:coverage_fuzzing))
         }[type]
       end
 

ee/spec/controllers/projects/security/configuration_controller_spec.rb

@@ -62,7 +62,7 @@ RSpec.describe Projects::Security::ConfigurationController do
       it 'responds in json format when requested' do
         get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }
 
-        types = %w(sast dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing)
+        types = %w(sast dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing corpus_management)
 
         expect(response).to have_gitlab_http_status(:ok)
         expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
@@ -188,6 +188,7 @@ RSpec.describe Projects::Security::ConfigurationController do
 
       before do
         stub_feature_flags(security_auto_fix: false)
+        stub_feature_flags(corpus_management: false)
 
         request
       end

ee/spec/presenters/projects/security/configuration_presenter_spec.rb

@@ -90,7 +90,68 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
           security_scan(:secret_detection, configured: true),
           security_scan(:coverage_fuzzing, configured: false),
           security_scan(:api_fuzzing, configured: false),
-          security_scan(:dast_profiles, configured: true)
+          security_scan(:dast_profiles, configured: true),
+          security_scan(:corpus_management, configured: true)
+        )
+      end
+    end
+
+    context "when coverage fuzzing has run in a pipeline with feature flag off" do
+      before do
+        stub_feature_flags(corpus_management: false)
+        pipeline = create(
+          :ci_pipeline,
+          :auto_devops_source,
+          project: project,
+          ref: project.default_branch,
+          sha: project.commit.sha
+        )
+        create(:ci_build, :coverage_fuzzing, pipeline: pipeline, status: 'success')
+      end
+
+      it 'reports that coverage fuzzing, corpus management, and DAST are configured' do
+        expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
+          security_scan(:dast, configured: false),
+          security_scan(:sast, configured: false),
+          security_scan(:container_scanning, configured: false),
+          security_scan(:cluster_image_scanning, configured: false),
+          security_scan(:dependency_scanning, configured: false),
+          security_scan(:license_scanning, configured: false),
+          security_scan(:secret_detection, configured: false),
+          security_scan(:coverage_fuzzing, configured: true),
+          security_scan(:api_fuzzing, configured: false),
+          security_scan(:dast_profiles, configured: true),
+          security_scan(:corpus_management, configured: true)
+        )
+      end
+    end
+
+    context "when coverage fuzzing has run in a pipeline with feature flag on" do
+      before do
+        stub_feature_flags(corpus_management: true)
+        pipeline = create(
+          :ci_pipeline,
+          :auto_devops_source,
+          project: project,
+          ref: project.default_branch,
+          sha: project.commit.sha
+        )
+        create(:ci_build, :coverage_fuzzing, pipeline: pipeline, status: 'success')
+      end
+
+      it 'reports that coverage fuzzing, corpus management, and DAST are configured' do
+        expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
+          security_scan(:dast, configured: false),
+          security_scan(:sast, configured: false),
+          security_scan(:container_scanning, configured: false),
+          security_scan(:cluster_image_scanning, configured: false),
+          security_scan(:dependency_scanning, configured: false),
+          security_scan(:license_scanning, configured: false),
+          security_scan(:secret_detection, configured: false),
+          security_scan(:coverage_fuzzing, configured: true),
+          security_scan(:api_fuzzing, configured: false),
+          security_scan(:dast_profiles, configured: true),
+          security_scan(:corpus_management, configured: true, configuration_path: project_security_configuration_corpus_management_path(project))
         )
       end
     end
@@ -115,7 +176,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
           security_scan(:secret_detection, configured: false),
           security_scan(:coverage_fuzzing, configured: false),
           security_scan(:api_fuzzing, configured: false),
-          security_scan(:dast_profiles, configured: true)
+          security_scan(:dast_profiles, configured: true),
+          security_scan(:corpus_management, configured: true)
         )
       end
     end
@@ -147,7 +209,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
           security_scan(:license_scanning, configured: false),
           security_scan(:secret_detection, configured: true),
           security_scan(:coverage_fuzzing, configured: false),
-          security_scan(:api_fuzzing, configured: false)
+          security_scan(:api_fuzzing, configured: false),
+          security_scan(:corpus_management, configured: true)
         )
       end
 
@@ -171,7 +234,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
           security_scan(:license_scanning, configured: false),
           security_scan(:secret_detection, configured: false),
           security_scan(:coverage_fuzzing, configured: false),
-          security_scan(:api_fuzzing, configured: false)
+          security_scan(:api_fuzzing, configured: false),
+          security_scan(:corpus_management, configured: true)
         )
       end
 
@@ -188,7 +252,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
           security_scan(:license_scanning, configured: true),
           security_scan(:secret_detection, configured: true),
           security_scan(:coverage_fuzzing, configured: false),
-          security_scan(:api_fuzzing, configured: false)
+          security_scan(:api_fuzzing, configured: false),
+          security_scan(:corpus_management, configured: true)
         )
       end
 
@@ -241,13 +306,13 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
     end
   end
 
-  def security_scan(type, configured:)
-    configuration_path = configuration_path(type)
+  def security_scan(type, configured:, configuration_path: nil)
+    path = configuration_path || configuration_path(type)
 
     {
       "type" => type.to_s,
       "configured" => configured,
-      "configuration_path" => configuration_path,
+      "configuration_path" => path,
       "available" => licensed_scan_types.include?(type)
     }
   end
@@ -257,7 +322,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
       dast: project_security_configuration_dast_path(project),
       dast_profiles: project_security_configuration_dast_scans_path(project),
       sast: project_security_configuration_sast_path(project),
-      api_fuzzing: project_security_configuration_api_fuzzing_path(project)
+      api_fuzzing: project_security_configuration_api_fuzzing_path(project),
+      corpus_management: nil
     }[type]
   end
 

locale/gitlab.pot

@@ -9240,6 +9240,9 @@ msgstr ""
 msgid "Copy value"
 msgstr ""
 
+msgid "Corpus Management"
+msgstr ""
+
 msgid "Corpus Management|Are you sure you want to delete the corpus?"
 msgstr ""
 
@@ -29782,6 +29785,12 @@ msgstr ""
 msgid "SecurityConfiguration|Immediately begin risk analysis and remediation with application security features. Start with SAST and Secret Detection, available to all plans. Upgrade to Ultimate to get all features, including:"
 msgstr ""
 
+msgid "SecurityConfiguration|Manage corpus"
+msgstr ""
+
+msgid "SecurityConfiguration|Manage corpus files used as mutation sources in coverage fuzzing."
+msgstr ""
+
 msgid "SecurityConfiguration|Manage profiles for use by DAST scans."
 msgstr ""
 

spec/factories/ci/builds.rb

@@ -534,6 +534,14 @@ FactoryBot.define do
       end
     end
 
+    trait :coverage_fuzzing do
+      options do
+        {
+          artifacts: { reports: { coverage_fuzzing: 'gl-coverage-fuzzing-report.json' } }
+        }
+      end
+    end
+
     trait :license_scanning do
       options do
         {