Added E2E tests for DAST reports

Additionally added a DAST report to the fixture and revamped merge request test flow to wait for DAST.

Added E2E tests for DAST reports
Additionally added a DAST report to the fixture and revamped merge request test flow to wait for DAST.
12f11c83 · Aleksandr Soborov · Walmyr Lima e Silva Filho · d2750875 · 12f11c83 · 12f11c83
Commit 12f11c83 authored Sep 16, 2019 by Aleksandr Soborov Committed by Walmyr Lima e Silva Filho Sep 16, 2019
4 changed files
--- a/qa/qa/ee/fixtures/secure_premade_reports/.gitlab-ci.yml
+++ b/qa/qa/ee/fixtures/secure_premade_reports/.gitlab-ci.yml
 include:
  template: Dependency-Scanning.gitlab-ci.yml
  template: Container-Scanning.gitlab-ci.yml
+  template: SAST.gitlab-ci.yml
+  template: DAST.gitlab-ci.yml

 dependency_scanning:
  tags:
@@ -29,8 +31,20 @@ sast:
  tags:
    - qa
    - test
+  only: null # Template defaults to feature branches only
  script:
    - echo "Skipped"
  artifacts:
    reports:
      sast: gl-sast-report.json
+
+dast:
+  tags:
+    - qa
+    - test
+  only: null # Template defaults to feature branches only
+  script:
+    - echo "Skipped"
+  artifacts:
+    reports:
+      dast: gl-dast-report.json
--- a/qa/qa/ee/fixtures/secure_premade_reports/gl-dast-report.json
+++ b/qa/qa/ee/fixtures/secure_premade_reports/gl-dast-report.json
--- a/qa/qa/specs/features/ee/browser_ui/secure/create_merge_request_with_secure_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/secure/create_merge_request_with_secure_spec.rb
@@ -5,7 +5,7 @@ require 'pathname'
 module QA
  context 'Secure', :docker do
    describe 'Security Reports in a Merge Request' do
-      let(:total_vuln_count) { 45 }
+      let(:total_vuln_count) { 49 }

      after do
        Service::Runner.new(@executor).remove!
@@ -39,8 +39,7 @@ module QA
          push.branch_name = 'secure-mr'
        end

-        # Fabricate via browser UI to avoid independent navigation
-        Resource::MergeRequest.fabricate_via_browser_ui! do |mr|
+        merge_request = Resource::MergeRequest.fabricate_via_api! do |mr|
          mr.project = @project
          mr.source_branch = 'secure-mr'
          mr.target_branch = 'master'
@@ -48,6 +47,13 @@ module QA
          mr.target = 'master'
          mr.target_new_branch = false
        end
+
+        @project.visit!
+        Page::Project::Menu.perform(&:click_ci_cd_pipelines)
+        Page::Project::Pipeline::Index.perform(&:click_on_latest_pipeline)
+        wait_for_job "dast"
+
+        merge_request.visit!
      end

      it 'displays the Security report in the merge request' do
@@ -66,6 +72,15 @@ module QA
          expect(mergerequest).to have_title vuln_name
        end
      end
+
+      def wait_for_job(job_name)
+        Page::Project::Pipeline::Show.perform do |pipeline|
+          pipeline.click_job(job_name)
+        end
+        Page::Project::Job::Show.perform do |job|
+          expect(job).to be_successful(timeout: 600)
+        end
+      end
    end
  end
 end
--- a/qa/qa/specs/features/ee/browser_ui/secure/security_reports_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/secure/security_reports_spec.rb
@@ -5,13 +5,15 @@ require 'pathname'
 module QA
  context 'Secure', :docker do
    let(:number_of_dependencies_in_fixture) { 1309 }
-    let(:total_vuln_count) { 12 }
+    let(:total_vuln_count) { 52 }
    let(:dependency_scan_vuln_count) { 4 }
    let(:dependency_scan_example_vuln) { 'jQuery before 3.4.0' }
    let(:container_scan_vuln_count) { 8 }
    let(:container_scan_example_vuln) { 'CVE-2017-18269 in glibc' }
    let(:sast_scan_vuln_count) { 33 }
    let(:sast_scan_example_vuln) { 'Cipher with no integrity' }
+    let(:dast_scan_vuln_count) { 7 }
+    let(:dast_scan_example_vuln) { 'Cookie Without SameSite Attribute' }

    describe 'Security Reports' do
      after do
@@ -47,7 +49,7 @@ module QA
        Page::Project::Menu.perform(&:click_ci_cd_pipelines)
        Page::Project::Pipeline::Index.perform(&:click_on_latest_pipeline)

-        wait_for_job "dependency_scanning"
+        wait_for_job "dast"
      end

      it 'displays security reports in the pipeline' do
@@ -57,6 +59,8 @@ module QA
        Page::Project::Pipeline::Show.perform do |pipeline|
          pipeline.click_on_security

+          expect(pipeline).to have_vulnerability_count_of total_vuln_count
+
          filter_report_and_perform(pipeline, "Dependency Scanning") do
            expect(pipeline).to have_vulnerability_count_of dependency_scan_vuln_count
            expect(pipeline).to have_content dependency_scan_example_vuln
@@ -71,6 +75,11 @@ module QA
            expect(pipeline).to have_vulnerability_count_of sast_scan_vuln_count
            expect(pipeline).to have_content sast_scan_example_vuln
          end
+
+          filter_report_and_perform(pipeline, "DAST") do
+            expect(pipeline).to have_vulnerability_count_of dast_scan_vuln_count
+            expect(pipeline).to have_content dast_scan_example_vuln
+          end
        end
      end

@@ -90,6 +99,10 @@ module QA
          filter_report_and_perform(dashboard, "SAST") do
            expect(dashboard).to have_low_vulnerability_count_of 17
          end
+
+          filter_report_and_perform(dashboard, "DAST") do
+            expect(dashboard).to have_low_vulnerability_count_of 6
+          end
        end
      end

@@ -114,6 +127,10 @@ module QA
          filter_report_and_perform(dashboard, "SAST") do
            expect(dashboard).to have_content sast_scan_example_vuln
          end
+
+          filter_report_and_perform(dashboard, "DAST") do
+            expect(dashboard).to have_content dast_scan_example_vuln
+          end
        end
      end