Merge branch 'expose-scan-object' into 'master'

Expose scan object in unsaved findings See merge request gitlab-org/gitlab!44274

Merge branch 'expose-scan-object' into 'master'
Expose scan object in unsaved findings See merge request gitlab-org/gitlab!44274
12b4fdb1 · Imre Farkas · 9adada17 · 52b589e9 · 12b4fdb1 · 12b4fdb1
Commit 12b4fdb1 authored Oct 07, 2020 by Imre Farkas
12 changed files
--- a/ee/app/controllers/projects/vulnerability_feedback_controller.rb
+++ b/ee/app/controllers/projects/vulnerability_feedback_controller.rb
@@ -163,6 +163,17 @@ class Projects::VulnerabilityFeedbackController < Projects::ApplicationControlle
      ],
      remediations: %i[
        diff
+      ],
+      scanner: %i[
+        external_id
+        name
+        vendor
+      ],
+      scan: %i[
+        type
+        status
+        start_time
+        end_time
      ]
    ]
  end

--- a/ee/app/models/vulnerabilities/finding.rb
+++ b/ee/app/models/vulnerabilities/finding.rb
@@ -29,6 +29,7 @@ module Vulnerabilities
    has_many :pipelines, through: :finding_pipelines, class_name: 'Ci::Pipeline'

    attr_writer :sha
+    attr_accessor :scan

    CONFIDENCE_LEVELS = {
      # undefined: 0, no longer applicable

--- a/ee/app/serializers/vulnerabilities/finding_entity.rb
+++ b/ee/app/serializers/vulnerabilities/finding_entity.rb
@@ -34,6 +34,7 @@ class Vulnerabilities::FindingEntity < Grape::Entity
  end

  expose :state
+  expose :scan

  expose :blob_path do |occurrence|
    occurrence.present.blob_path

--- a/ee/changelogs/unreleased/expose-scan-object.yml
+++ b/ee/changelogs/unreleased/expose-scan-object.yml
+---
+title: Expose scan object in unsaved findings
+merge_request: 44274
+author:
+type: other
--- a/ee/lib/gitlab/ci/reports/security/finding.rb
+++ b/ee/lib/gitlab/ci/reports/security/finding.rb
@@ -53,6 +53,7 @@ module Gitlab
              raw_metadata
              report_type
              scanner
+              scan
              severity
              uuid
            ].each_with_object({}) do |key, hash|

--- a/ee/lib/gitlab/vulnerabilities/base_vulnerability.rb
+++ b/ee/lib/gitlab/vulnerabilities/base_vulnerability.rb
@@ -18,6 +18,8 @@ module Gitlab
        links
        remediations
        target_branch
+        scanner
+        scan
      ].each { |method_name| define_method(method_name) { @data[method_name] } }

      # Ensure mandatory properties are defined

--- a/ee/spec/controllers/projects/vulnerability_feedback_controller_spec.rb
+++ b/ee/spec/controllers/projects/vulnerability_feedback_controller_spec.rb
@@ -136,7 +136,18 @@ RSpec.describe Projects::VulnerabilityFeedbackController do
          links: [{
            name: 'Awesome-security blog post',
            url: 'https;//example.com/blog-post'
-          }]
+          }],
+          scanner: {
+            external_id: 'bundler-audit',
+            name: 'bunlder audit',
+            vendor: 'bundler audit'
+          },
+          scan: {
+            type: 'dependency_scanning',
+            status: 'success',
+            start_time: 'placeholder',
+            end_time: 'placeholder'
+          }
        }
      }
    end

--- a/ee/spec/fixtures/api/schemas/vulnerabilities/finding.json
+++ b/ee/spec/fixtures/api/schemas/vulnerabilities/finding.json
@@ -7,6 +7,7 @@
    "severity",
    "report_type",
    "scanner",
+    "scan",
    "project"
  ],
  "properties" : {
@@ -31,6 +32,13 @@
      "external_id" : { "type": "string" },
      "name" : { "type": "string" }
    },
+    "scan" : {
+      "end_time": { "type": "string" },
+      "messages": { "type": "string" },
+      "start_time": { "type": "string" },
+      "status": { "type": "string" },
+      "type": { "type": "string" }
+    },
    "project" : {
      "required" : [
        "id",

--- a/ee/spec/lib/gitlab/ci/reports/security/finding_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/finding_spec.rb
@@ -91,6 +91,7 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
        raw_metadata: occurrence.raw_metadata,
        report_type: occurrence.report_type,
        scanner: occurrence.scanner,
+        scan: occurrence.scan,
        severity: occurrence.severity,
        uuid: occurrence.uuid
      })

--- a/ee/spec/lib/gitlab/vulnerabilities/base_vulnerability_spec.rb
+++ b/ee/spec/lib/gitlab/vulnerabilities/base_vulnerability_spec.rb
@@ -19,7 +19,9 @@ RSpec.describe Gitlab::Vulnerabilities::BaseVulnerability do
      ],
      links: [{ name: 'Awesome-security blog post', url: 'https;//example.com/blog-post' }],
      location: { file: 'main.rb', start_line: 14, blob_path: '/bar/foo/main.rb#14' },
-      solution: 'upgrade dependencies'
+      solution: 'upgrade dependencies',
+      scanner: { external_id: 'gemnasium', name: 'Gemnasium' },
+      scan: { external_id: 'gemnasium', name: 'Gemnasium' }
    }
  end

@@ -34,7 +36,7 @@ RSpec.describe Gitlab::Vulnerabilities::BaseVulnerability do
  end

  describe 'getters' do
-    where(:getter) { %i[severity confidence solution identifiers links remediations target_branch] }
+    where(:getter) { %i[severity confidence solution identifiers links remediations target_branch scan scanner] }

    let(:with_nil) { described_class.new({}) }


--- a/ee/spec/requests/api/vulnerability_findings_spec.rb
+++ b/ee/spec/requests/api/vulnerability_findings_spec.rb
@@ -52,7 +52,6 @@ RSpec.describe API::VulnerabilityFindings do
        finding_count = (sast_report.findings.count + ds_report.findings.count - 1).to_s

        get api(project_vulnerability_findings_path, user), params: pagination
-
        expect(response).to have_gitlab_http_status(:ok)
        expect(response).to include_pagination_headers
        expect(response).to match_response_schema('vulnerabilities/finding_list', dir: 'ee')

--- a/ee/spec/serializers/vulnerabilities/finding_entity_spec.rb
+++ b/ee/spec/serializers/vulnerabilities/finding_entity_spec.rb
@@ -3,36 +3,37 @@
 require 'spec_helper'

 RSpec.describe Vulnerabilities::FindingEntity do
-  let_it_be(:user) { create(:user) }
-  let_it_be(:project) { create(:project) }
+  let_it_be(:user) { build(:user) }
+  let_it_be(:project) { build(:project) }

-  let(:scanner) do
-    create(:vulnerabilities_scanner, project: project)
-  end
+  let(:scanner) { build(:vulnerabilities_scanner, project: project) }
+
+  let(:scan) { build(:ci_reports_security_scan) }

  let(:identifiers) do
    [
-      create(:vulnerabilities_identifier),
-      create(:vulnerabilities_identifier)
+      build(:vulnerabilities_identifier),
+      build(:vulnerabilities_identifier)
    ]
  end

  let(:occurrence) do
-    create(
+    build(
      :vulnerabilities_occurrence,
      scanner: scanner,
+      scan: scan,
      project: project,
      identifiers: identifiers
    )
  end

-  let!(:dismiss_feedback) do
-    create(:vulnerability_feedback, :sast, :dismissal,
+  let(:dismiss_feedback) do
+    build(:vulnerability_feedback, :sast, :dismissal,
           project: project, project_fingerprint: occurrence.project_fingerprint)
  end

-  let!(:issue_feedback) do
-    create(:vulnerability_feedback, :sast, :issue,
+  let(:issue_feedback) do
+    build(:vulnerability_feedback, :sast, :issue,
           project: project, project_fingerprint: occurrence.project_fingerprint)
  end

@@ -56,6 +57,7 @@ RSpec.describe Vulnerabilities::FindingEntity do
      expect(subject).to include(:dismissal_feedback, :issue_feedback)
      expect(subject).to include(:description, :links, :location, :remediations, :solution, :evidence)
      expect(subject).to include(:blob_path, :request, :response)
+      expect(subject).to include(:scan)
    end

    context 'when not allowed to admin vulnerability feedback' do