Add vulnerabilities to Dependencies API

Vulnerabilities are available under a granulal access: if user has developer access, they get vulnerabilities in response.

Add vulnerabilities to Dependencies API
Vulnerabilities are available under a granulal access: if user has developer access, they get vulnerabilities in response.
1928c5be · Tetiana Chupryna · Rémy Coutable · 02bb5c14 · 1928c5be · 1928c5be
Commit 1928c5be authored Aug 22, 2019 by Tetiana Chupryna Committed by Rémy Coutable Aug 22, 2019
5 changed files
--- a/ee/changelogs/unreleased/12713-vulnerabilities-to-dl-api.yml
+++ b/ee/changelogs/unreleased/12713-vulnerabilities-to-dl-api.yml
+---
+title: Add vulnerabilities to Dependencies API
+merge_request: 15485
+author:
+type: added
--- a/ee/lib/api/dependencies.rb
+++ b/ee/lib/api/dependencies.rb
@@ -37,7 +37,7 @@ module API

        dependencies = dependencies_by(declared_params.merge(project: user_project))

-        present dependencies, with: ::EE::API::Entities::Dependency
+        present dependencies, with: ::EE::API::Entities::Dependency, user: current_user, project: user_project
      end
    end
  end

--- a/ee/lib/ee/api/entities.rb
+++ b/ee/lib/ee/api/entities.rb
@@ -739,10 +739,21 @@ module EE
      end

      class Dependency < Grape::Entity
+        class Vulnerability < Grape::Entity
+          expose :name, :severity
+        end
+
        expose :name, :version, :package_manager, :dependency_file_path
        expose :dependency_file_path do |dependency|
          dependency[:location][:path]
        end
+        expose :vulnerabilities, using: Vulnerability, if: ->(_, opts) { can_read_vulnerabilities?(opts[:user], opts[:project]) }
+
+        private
+
+        def can_read_vulnerabilities?(user, project)
+          Ability.allowed?(user, :read_project_security_dashboard, project)
+        end
      end
    end
  end

--- a/ee/spec/fixtures/api/schemas/public_api/v4/dependencies.json
+++ b/ee/spec/fixtures/api/schemas/public_api/v4/dependencies.json
@@ -20,6 +20,17 @@
      },
      "dependency_file_path": {
        "type": "string"
+      },
+      "vulnerabilities": {
+        "type": "array",
+        "properties": {
+          "name": {
+            "type": "string"
+          },
+          "severity": {
+            "type": "string"
+          }
+        }
      }
    }
  }

--- a/ee/spec/requests/api/dependencies_spec.rb
+++ b/ee/spec/requests/api/dependencies_spec.rb
@@ -17,6 +17,7 @@ describe API::Dependencies do
    context 'with an authorized user with proper permissions' do
      before do
        create(:ee_ci_pipeline, :with_dependency_list_report, project: project)
+        project.add_developer(user)
        request
      end

@@ -27,6 +28,13 @@ describe API::Dependencies do
        expect(json_response.length).to eq(21)
      end

+      it 'returns vulnerabilities info' do
+        vulnerability = json_response.select { |dep| dep['name'] == 'debug' }[0]['vulnerabilities'][0]
+
+        expect(vulnerability['name']).to eq('Regular Expression Denial of Service in debug')
+        expect(vulnerability['severity']).to eq('unknown')
+      end
+
      context 'with filter options' do
        let(:params) { { package_manager: 'yarn' } }

@@ -44,6 +52,17 @@ describe API::Dependencies do
      end
    end

+    context 'without permissions to see vulnerabilities' do
+      before do
+        create(:ee_ci_pipeline, :with_dependency_list_report, project: project)
+        request
+      end
+
+      it 'returns empty vulnerabilities' do
+        expect(json_response.first['vulnerabilities']).to be_nil
+      end
+    end
+
    context 'with authorized user without read permissions' do
      let(:project) { create(:project, :private) }