Commit 1928c5be authored by Tetiana Chupryna's avatar Tetiana Chupryna Committed by Rémy Coutable

Add vulnerabilities to Dependencies API

Vulnerabilities are available under a granulal access:
if user has developer access, they get vulnerabilities in response.
parent 02bb5c14
---
title: Add vulnerabilities to Dependencies API
merge_request: 15485
author:
type: added
...@@ -37,7 +37,7 @@ module API ...@@ -37,7 +37,7 @@ module API
dependencies = dependencies_by(declared_params.merge(project: user_project)) dependencies = dependencies_by(declared_params.merge(project: user_project))
present dependencies, with: ::EE::API::Entities::Dependency present dependencies, with: ::EE::API::Entities::Dependency, user: current_user, project: user_project
end end
end end
end end
......
...@@ -739,10 +739,21 @@ module EE ...@@ -739,10 +739,21 @@ module EE
end end
class Dependency < Grape::Entity class Dependency < Grape::Entity
class Vulnerability < Grape::Entity
expose :name, :severity
end
expose :name, :version, :package_manager, :dependency_file_path expose :name, :version, :package_manager, :dependency_file_path
expose :dependency_file_path do |dependency| expose :dependency_file_path do |dependency|
dependency[:location][:path] dependency[:location][:path]
end end
expose :vulnerabilities, using: Vulnerability, if: ->(_, opts) { can_read_vulnerabilities?(opts[:user], opts[:project]) }
private
def can_read_vulnerabilities?(user, project)
Ability.allowed?(user, :read_project_security_dashboard, project)
end
end end
end end
end end
......
...@@ -20,6 +20,17 @@ ...@@ -20,6 +20,17 @@
}, },
"dependency_file_path": { "dependency_file_path": {
"type": "string" "type": "string"
},
"vulnerabilities": {
"type": "array",
"properties": {
"name": {
"type": "string"
},
"severity": {
"type": "string"
}
}
} }
} }
} }
......
...@@ -17,6 +17,7 @@ describe API::Dependencies do ...@@ -17,6 +17,7 @@ describe API::Dependencies do
context 'with an authorized user with proper permissions' do context 'with an authorized user with proper permissions' do
before do before do
create(:ee_ci_pipeline, :with_dependency_list_report, project: project) create(:ee_ci_pipeline, :with_dependency_list_report, project: project)
project.add_developer(user)
request request
end end
...@@ -27,6 +28,13 @@ describe API::Dependencies do ...@@ -27,6 +28,13 @@ describe API::Dependencies do
expect(json_response.length).to eq(21) expect(json_response.length).to eq(21)
end end
it 'returns vulnerabilities info' do
vulnerability = json_response.select { |dep| dep['name'] == 'debug' }[0]['vulnerabilities'][0]
expect(vulnerability['name']).to eq('Regular Expression Denial of Service in debug')
expect(vulnerability['severity']).to eq('unknown')
end
context 'with filter options' do context 'with filter options' do
let(:params) { { package_manager: 'yarn' } } let(:params) { { package_manager: 'yarn' } }
...@@ -44,6 +52,17 @@ describe API::Dependencies do ...@@ -44,6 +52,17 @@ describe API::Dependencies do
end end
end end
context 'without permissions to see vulnerabilities' do
before do
create(:ee_ci_pipeline, :with_dependency_list_report, project: project)
request
end
it 'returns empty vulnerabilities' do
expect(json_response.first['vulnerabilities']).to be_nil
end
end
context 'with authorized user without read permissions' do context 'with authorized user without read permissions' do
let(:project) { create(:project, :private) } let(:project) { create(:project, :private) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment