Merge branch 'enable_dependency_scanning_ui_spec' into 'master'

Add an End to End test to configure Dependency Scanning from UI

See merge request gitlab-org/gitlab!70511

app/assets/javascripts/security_configuration/components/feature_card.vue

@@ -128,6 +128,7 @@ export default {
         variant="confirm"
         category="primary"
         class="gl-mt-5"
+        :data-qa-selector="`${feature.type}_mr_button`"
       />
 
       <gl-button

app/assets/javascripts/vue_shared/security_configuration/components/manage_via_mr.vue

@@ -100,6 +100,7 @@ export default {
     :loading="isLoading"
     :variant="variant"
     :category="category"
+    :data-qa-selector="`${feature.type}_mr_button`"
     @click="mutate"
     >{{ $options.i18n.buttonLabel }}</gl-button
   >

qa/qa/ee/fixtures/secure_sast_enable_from_ui_files/.gitlab-ci.yml → qa/qa/ee/fixtures/secure_scanning_enable_from_ui_files/.gitlab-ci.yml

@@ -2,15 +2,20 @@ include:
   template: License-Scanning.gitlab-ci.yml
 
 .sast-analyzer:
-  tags: [secure_sast]
   script:
     - echo "Skipped"
   artifacts:
     reports:
       sast: gl-sast-report.json
 
+.ds-analyzer:
+  script:
+    - echo "Skipped"
+  artifacts:
+    reports:
+      dependency_scanning: gl-dependency-scanning-report.json
+
 license_scanning:
-  tags: [secure_sast]
   script:
     - echo "Skipped"
   artifacts:

qa/qa/page/merge_request/new.rb

@@ -20,6 +20,13 @@ module QA
           element :file_name_content
         end
 
+        def has_secure_description?(scanner_name)
+          scanner_url_name = scanner_name.downcase.tr('_', '-')
+          "Configure #{scanner_name} in `.gitlab-ci.yml` using the GitLab managed template. You can " \
+            "[add variable overrides](https://docs.gitlab.com/ee/user/application_security/#{scanner_url_name}/#customizing-the-#{scanner_url_name}-settings) " \
+            "to customize #{scanner_name} settings."
+        end
+
         def create_merge_request
           click_element(:issuable_create_button, Page::MergeRequest::Show)
         end

qa/qa/page/merge_request/show.rb

@@ -288,13 +288,11 @@ module QA
         end
 
         def merge_immediately!
-          merge_moment_dropdown_found = has_element?(:merge_moment_dropdown, wait: 0)
-
-          if merge_moment_dropdown_found
-            click_element(:merge_moment_dropdown)
-            click_element(:merge_immediately_menu_item)
+          if has_element?(:merge_moment_dropdown)
+            click_element(:merge_moment_dropdown, skip_finished_loading_check: true)
+            click_element(:merge_immediately_menu_item, skip_finished_loading_check: true)
           else
-            click_element(:merge_button)
+            click_element(:merge_button, skip_finished_loading_check: true)
           end
         end
 

qa/qa/page/project/secure/configuration_form.rb

@@ -9,19 +9,31 @@ module QA
           include QA::Page::Settings::Common
 
           view 'app/assets/javascripts/security_configuration/components/feature_card.vue' do
+            element :dependency_scanning_status, "`${feature.type}_status`" # rubocop:disable QA/ElementWithPattern
             element :sast_status, "`${feature.type}_status`" # rubocop:disable QA/ElementWithPattern
             element :sast_enable_button, "`${feature.type}_enable_button`" # rubocop:disable QA/ElementWithPattern
+            element :dependency_scanning_mr_button, "`${feature.type}_mr_button`" # rubocop:disable QA/ElementWithPattern
           end
 
           def click_sast_enable_button
             click_element(:sast_enable_button)
           end
 
+          def click_dependency_scanning_mr_button
+            click_element(:dependency_scanning_mr_button)
+          end
+
           def has_sast_status?(status_text)
             within_element(:sast_status) do
               has_text?(status_text)
             end
           end
+
+          def has_dependency_scanning_status?(status_text)
+            within_element(:dependency_scanning_status) do
+              has_text?(status_text)
+            end
+          end
         end
       end
     end

qa/qa/specs/features/ee/browser_ui/secure/enable_sast_from_configuration_spec.rb

-# frozen_string_literal: true
-
-module QA
-  RSpec.describe 'Secure', :runner do
-    describe 'Enable SAST from UI' do
-      let(:merge_request_description) do
-        <<~DESCRIPTION.tr("\n", ' ').strip
-          Configure SAST in `.gitlab-ci.yml` using the GitLab managed template. You can
-          [add variable overrides](https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings)
-          to customize SAST settings.
-        DESCRIPTION
-      end
-
-      let(:test_data_string_fields_array) do
-        [
-          %w(SECURE_ANALYZERS_PREFIX registry.example.com),
-          %w(SAST_EXCLUDED_PATHS foo,\ bar),
-          %w(SAST_BANDIT_EXCLUDED_PATHS exclude_path_a,\ exclude_path_b)
-        ]
-      end
-
-      let(:test_data_int_fields_array) do
-        [
-          %w(SEARCH_MAX_DEPTH 42),
-          %w(SAST_BRAKEMAN_LEVEL 43),
-          %w(SAST_GOSEC_LEVEL 7)
-        ]
-      end
-
-      let(:test_data_checkbox_exclude_array) do
-        %w(eslint kubesec nodejs-scan phpcs-security-audit)
-      end
-
-      let(:test_stage_name) do
-        'test_all_the_things'
-      end
-
-      let(:project) do
-        Resource::Project.fabricate_via_api! do |project|
-          project.name = 'project-with-secure'
-          project.description = 'Project with Secure'
-        end
-      end
-
-      let!(:runner) do
-        Resource::Runner.fabricate! do |runner|
-          runner.project = project
-          runner.name = "runner-for-#{project.name}"
-          runner.tags = ['secure_sast']
-        end
-      end
-
-      after do
-        runner&.remove_via_api!
-      end
-
-      before do
-        # Push fixture to generate Secure reports
-        Resource::Repository::ProjectPush.fabricate! do |project_push|
-          project_push.project = project
-          project_push.directory = Pathname
-                                       .new(__dir__)
-                                       .join('../../../../../ee/fixtures/secure_sast_enable_from_ui_files')
-          project_push.commit_message = 'Create Secure compatible application to serve premade reports'
-        end
-
-        Flow::Login.sign_in_unless_signed_in
-        project.visit!
-      end
-
-      it 'runs sast job when enabled from configuration', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/quality/test_cases/1835' do
-        Flow::Pipeline.visit_latest_pipeline
-
-        # Baseline that we do not initially have a sast job
-        Page::Project::Pipeline::Show.perform do |pipeline|
-          expect(pipeline).to have_no_job('brakeman-sast')
-        end
-        Page::Project::Menu.perform(&:click_on_security_configuration_link)
-
-        Page::Project::Secure::ConfigurationForm.perform do |config_form|
-          expect(config_form).to have_sast_status('Not enabled')
-
-          config_form.click_sast_enable_button
-          config_form.click_expand_button
-
-          test_data_string_fields_array.each do |test_data_string_array|
-            config_form.fill_dynamic_field(test_data_string_array.first, test_data_string_array[1])
-          end
-          test_data_int_fields_array.each do |test_data_int_array|
-            config_form.fill_dynamic_field(test_data_int_array.first, test_data_int_array[1])
-          end
-          test_data_checkbox_exclude_array.each do |test_data_checkbox|
-            config_form.unselect_dynamic_checkbox(test_data_checkbox)
-          end
-          config_form.fill_dynamic_field('stage', test_stage_name)
-
-          config_form.click_submit_button
-        end
-
-        Page::MergeRequest::New.perform do |new_merge_request|
-          expect(new_merge_request).to have_description(merge_request_description)
-
-          new_merge_request.click_diffs_tab
-
-          aggregate_failures "test Merge Request contents" do
-            expect(new_merge_request).to have_file('.gitlab-ci.yml')
-            test_data_string_fields_array.each do |test_data_string_array|
-              expect(new_merge_request).to have_content("#{test_data_string_array.first}: #{test_data_string_array[1]}")
-            end
-            test_data_int_fields_array.each do |test_data_int_array|
-              expect(new_merge_request).to have_content("#{test_data_int_array.first}: '#{test_data_int_array[1]}'")
-            end
-            expect(new_merge_request).to have_content("stages: - test - #{test_stage_name}")
-            expect(new_merge_request).to have_content("SAST_EXCLUDED_ANALYZERS: #{test_data_checkbox_exclude_array.join(', ')}")
-          end
-
-          new_merge_request.create_merge_request
-        end
-
-        Page::MergeRequest::Show.perform do |merge_request|
-          merge_request.merge_immediately!
-        end
-
-        Flow::Pipeline.visit_latest_pipeline
-
-        Page::Project::Pipeline::Show.perform do |pipeline|
-          expect(pipeline).to have_job('brakeman-sast')
-        end
-
-        Page::Project::Menu.perform(&:click_on_security_configuration_link)
-
-        Page::Project::Secure::ConfigurationForm.perform do |config_form|
-          aggregate_failures "test SAST status is Enabled" do
-            expect(config_form).to have_sast_status('Enabled')
-            expect(config_form).not_to have_sast_status('Not enabled')
-          end
-        end
-      end
-    end
-  end
-end

qa/qa/specs/features/ee/browser_ui/secure/enable_scanning_from_configuration_spec.rb

+# frozen_string_literal: true
+
+module QA
+  RSpec.describe 'Secure' do
+    context 'Enable Scanning from UI' do
+      let(:test_data_sast_string_fields_array) do
+        [
+          %w(SECURE_ANALYZERS_PREFIX registry.example.com),
+          %w(SAST_EXCLUDED_PATHS foo,\ bar),
+          %w(SAST_BANDIT_EXCLUDED_PATHS exclude_path_a,\ exclude_path_b)
+        ]
+      end
+
+      let(:test_data_int_fields_array) do
+        [
+          %w(SEARCH_MAX_DEPTH 42),
+          %w(SAST_BRAKEMAN_LEVEL 43),
+          %w(SAST_GOSEC_LEVEL 7)
+        ]
+      end
+
+      let(:test_data_checkbox_exclude_array) do
+        %w(eslint kubesec nodejs-scan phpcs-security-audit)
+      end
+
+      let(:test_stage_name) do
+        'test_all_the_things'
+      end
+
+      let(:project) do
+        Resource::Project.fabricate_via_api! do |project|
+          project.name = 'project-with-secure'
+          project.description = 'Project with Secure'
+        end
+      end
+
+      before do
+        Resource::Repository::ProjectPush.fabricate! do |project_push|
+          project_push.project = project
+          project_push.directory = Pathname
+                                       .new(__dir__)
+                                       .join('../../../../../ee/fixtures/secure_scanning_enable_from_ui_files')
+          project_push.commit_message = 'Create Secure compatible application to serve premade reports'
+        end
+
+        Flow::Login.sign_in_unless_signed_in
+        project.visit!
+      end
+
+      after do
+        project.remove_via_api! if project
+      end
+
+      describe 'enable dependency scanning from configuration' do
+        it 'runs dependency scanning job when enabled from configuration', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/quality/test_cases/2261' do
+          Flow::Pipeline.visit_latest_pipeline
+
+          # Baseline that we do not initially have a Dependency Scanning job
+          Page::Project::Pipeline::Show.perform do |pipeline|
+            aggregate_failures "test Dependency Scanning jobs are not present in pipeline" do
+              expect(pipeline).to have_no_job('gemnasium-dependency_scanning')
+              expect(pipeline).to have_no_job('bundler-audit-dependency_scanning')
+            end
+          end
+
+          Page::Project::Menu.perform(&:click_on_security_configuration_link)
+
+          Page::Project::Secure::ConfigurationForm.perform do |config_form|
+            expect(config_form).to have_dependency_scanning_status('Not enabled')
+
+            config_form.click_dependency_scanning_mr_button
+          end
+
+          Page::MergeRequest::New.perform do |new_merge_request|
+            expect(new_merge_request).to have_secure_description('Dependency Scanning')
+            new_merge_request.create_merge_request
+          end
+
+          Page::MergeRequest::Show.perform do |merge_request|
+            merge_request.merge_immediately!
+          end
+
+          Flow::Pipeline.visit_latest_pipeline
+
+          Page::Project::Pipeline::Show.perform do |pipeline|
+            aggregate_failures "test Dependency Scanning jobs are present in pipeline" do
+              expect(pipeline).to have_job('gemnasium-dependency_scanning')
+              expect(pipeline).to have_job('bundler-audit-dependency_scanning')
+            end
+          end
+
+          Page::Project::Menu.perform(&:click_on_security_configuration_link)
+
+          Page::Project::Secure::ConfigurationForm.perform do |config_form|
+            aggregate_failures "test Dependency Scanning status is Enabled" do
+              expect(config_form).to have_dependency_scanning_status('Enabled')
+              expect(config_form).not_to have_dependency_scanning_status('Not enabled')
+            end
+          end
+        end
+      end
+
+      describe 'enable sast from configuration' do
+        it 'runs sast job when enabled from configuration', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/quality/test_cases/1835' do
+          Flow::Pipeline.visit_latest_pipeline
+
+          # Baseline that we do not initially have a sast job
+          Page::Project::Pipeline::Show.perform do |pipeline|
+            expect(pipeline).to have_no_job('brakeman-sast')
+          end
+
+          Page::Project::Menu.perform(&:click_on_security_configuration_link)
+
+          Page::Project::Secure::ConfigurationForm.perform do |config_form|
+            expect(config_form).to have_sast_status('Not enabled')
+
+            config_form.click_sast_enable_button
+            config_form.click_expand_button
+
+            test_data_sast_string_fields_array.each do |test_data_string_array|
+              config_form.fill_dynamic_field(test_data_string_array.first, test_data_string_array[1])
+            end
+            test_data_int_fields_array.each do |test_data_int_array|
+              config_form.fill_dynamic_field(test_data_int_array.first, test_data_int_array[1])
+            end
+            test_data_checkbox_exclude_array.each do |test_data_checkbox|
+              config_form.unselect_dynamic_checkbox(test_data_checkbox)
+            end
+            config_form.fill_dynamic_field('stage', test_stage_name)
+
+            config_form.click_submit_button
+          end
+
+          Page::MergeRequest::New.perform do |new_merge_request|
+            expect(new_merge_request).to have_secure_description('SAST')
+
+            new_merge_request.click_diffs_tab
+
+            aggregate_failures "test Merge Request contents" do
+              expect(new_merge_request).to have_file('.gitlab-ci.yml')
+              test_data_sast_string_fields_array.each do |test_data_string_array|
+                expect(new_merge_request).to have_content("#{test_data_string_array.first}: #{test_data_string_array[1]}")
+              end
+              test_data_int_fields_array.each do |test_data_int_array|
+                expect(new_merge_request).to have_content("#{test_data_int_array.first}: '#{test_data_int_array[1]}'")
+              end
+              expect(new_merge_request).to have_content("stage: #{test_stage_name}")
+              expect(new_merge_request).to have_content("SAST_EXCLUDED_ANALYZERS: #{test_data_checkbox_exclude_array.join(', ')}")
+            end
+
+            new_merge_request.create_merge_request
+          end
+
+          Page::MergeRequest::Show.perform do |merge_request|
+            merge_request.merge_immediately!
+          end
+
+          Flow::Pipeline.visit_latest_pipeline
+
+          Page::Project::Pipeline::Show.perform do |pipeline|
+            expect(pipeline).to have_job('brakeman-sast')
+          end
+
+          Page::Project::Menu.perform(&:click_on_security_configuration_link)
+
+          Page::Project::Secure::ConfigurationForm.perform do |config_form|
+            aggregate_failures "test SAST status is Enabled" do
+              expect(config_form).to have_sast_status('Enabled')
+              expect(config_form).not_to have_sast_status('Not enabled')
+            end
+          end
+        end
+      end
+    end
+  end
+end