Commit 21781aad authored by rossfuhrman's avatar rossfuhrman Committed by Rémy Coutable

Backend work to comment on vulnerability dismissal

This change adds columns to the vulnerability_feedback table to support
adding a single plain-text comment for vulnerability feedback items and
specifically for commenting on dismissals of vulnerabilities.
It also adds support for submitting a comment when dismissing a
vulnerability as well as returning the comment-related attributes when
retrieving vulnerability_feedback records.
parent 19dbedda
...@@ -3316,7 +3316,11 @@ ActiveRecord::Schema.define(version: 20190426180107) do ...@@ -3316,7 +3316,11 @@ ActiveRecord::Schema.define(version: 20190426180107) do
t.integer "issue_id" t.integer "issue_id"
t.string "project_fingerprint", limit: 40, null: false t.string "project_fingerprint", limit: 40, null: false
t.integer "merge_request_id" t.integer "merge_request_id"
t.integer "comment_author_id"
t.text "comment"
t.datetime_with_timezone "comment_timestamp"
t.index ["author_id"], name: "index_vulnerability_feedback_on_author_id", using: :btree t.index ["author_id"], name: "index_vulnerability_feedback_on_author_id", using: :btree
t.index ["comment_author_id"], name: "index_vulnerability_feedback_on_comment_author_id", using: :btree
t.index ["issue_id"], name: "index_vulnerability_feedback_on_issue_id", using: :btree t.index ["issue_id"], name: "index_vulnerability_feedback_on_issue_id", using: :btree
t.index ["merge_request_id"], name: "index_vulnerability_feedback_on_merge_request_id", using: :btree t.index ["merge_request_id"], name: "index_vulnerability_feedback_on_merge_request_id", using: :btree
t.index ["pipeline_id"], name: "index_vulnerability_feedback_on_pipeline_id", using: :btree t.index ["pipeline_id"], name: "index_vulnerability_feedback_on_pipeline_id", using: :btree
...@@ -3755,6 +3759,7 @@ ActiveRecord::Schema.define(version: 20190426180107) do ...@@ -3755,6 +3759,7 @@ ActiveRecord::Schema.define(version: 20190426180107) do
add_foreign_key "vulnerability_feedback", "merge_requests", name: "fk_563ff1912e", on_delete: :nullify add_foreign_key "vulnerability_feedback", "merge_requests", name: "fk_563ff1912e", on_delete: :nullify
add_foreign_key "vulnerability_feedback", "projects", on_delete: :cascade add_foreign_key "vulnerability_feedback", "projects", on_delete: :cascade
add_foreign_key "vulnerability_feedback", "users", column: "author_id", on_delete: :cascade add_foreign_key "vulnerability_feedback", "users", column: "author_id", on_delete: :cascade
add_foreign_key "vulnerability_feedback", "users", column: "comment_author_id", name: "fk_94f7c8a81e", on_delete: :nullify
add_foreign_key "vulnerability_identifiers", "projects", on_delete: :cascade add_foreign_key "vulnerability_identifiers", "projects", on_delete: :cascade
add_foreign_key "vulnerability_occurrence_identifiers", "vulnerability_identifiers", column: "identifier_id", on_delete: :cascade add_foreign_key "vulnerability_occurrence_identifiers", "vulnerability_identifiers", column: "identifier_id", on_delete: :cascade
add_foreign_key "vulnerability_occurrence_identifiers", "vulnerability_occurrences", column: "occurrence_id", on_delete: :cascade add_foreign_key "vulnerability_occurrence_identifiers", "vulnerability_occurrences", column: "occurrence_id", on_delete: :cascade
......
...@@ -69,6 +69,7 @@ class Projects::VulnerabilityFeedbackController < Projects::ApplicationControlle ...@@ -69,6 +69,7 @@ class Projects::VulnerabilityFeedbackController < Projects::ApplicationControlle
feedback_type feedback_type
pipeline_id pipeline_id
project_fingerprint project_fingerprint
comment
] + [ ] + [
vulnerability_data: vulnerability_data_params_attributes vulnerability_data: vulnerability_data_params_attributes
] ]
......
...@@ -5,11 +5,13 @@ module Vulnerabilities ...@@ -5,11 +5,13 @@ module Vulnerabilities
self.table_name = 'vulnerability_feedback' self.table_name = 'vulnerability_feedback'
belongs_to :project belongs_to :project
belongs_to :author, class_name: "User" belongs_to :author, class_name: 'User'
belongs_to :issue belongs_to :issue
belongs_to :merge_request belongs_to :merge_request
belongs_to :pipeline, class_name: 'Ci::Pipeline', foreign_key: :pipeline_id belongs_to :pipeline, class_name: 'Ci::Pipeline', foreign_key: :pipeline_id
belongs_to :comment_author, class_name: 'User'
attr_accessor :vulnerability_data attr_accessor :vulnerability_data
enum feedback_type: { dismissal: 0, issue: 1, merge_request: 2 } enum feedback_type: { dismissal: 0, issue: 1, merge_request: 2 }
...@@ -17,6 +19,7 @@ module Vulnerabilities ...@@ -17,6 +19,7 @@ module Vulnerabilities
validates :project, presence: true validates :project, presence: true
validates :author, presence: true validates :author, presence: true
validates :comment_timestamp, :comment_author, presence: true, if: :comment?
validates :issue, presence: true, if: :issue? validates :issue, presence: true, if: :issue?
validates :merge_request, presence: true, if: :merge_request? validates :merge_request, presence: true, if: :merge_request?
validates :vulnerability_data, presence: true, unless: :dismissal? validates :vulnerability_data, presence: true, unless: :dismissal?
...@@ -24,10 +27,10 @@ module Vulnerabilities ...@@ -24,10 +27,10 @@ module Vulnerabilities
validates :category, presence: true validates :category, presence: true
validates :project_fingerprint, presence: true, uniqueness: { scope: [:project_id, :category, :feedback_type] } validates :project_fingerprint, presence: true, uniqueness: { scope: [:project_id, :category, :feedback_type] }
scope :with_associations, -> { includes(:pipeline, :issue, :merge_request, :author) } scope :with_associations, -> { includes(:pipeline, :issue, :merge_request, :author, :comment_author) }
scope :all_preloaded, -> do scope :all_preloaded, -> do
preload(:author, :project, :issue, :merge_request, :pipeline) preload(:author, :comment_author, :project, :issue, :merge_request, :pipeline)
end end
def self.find_or_init_for(feedback_params) def self.find_or_init_for(feedback_params)
......
...@@ -8,6 +8,12 @@ class Vulnerabilities::FeedbackEntity < Grape::Entity ...@@ -8,6 +8,12 @@ class Vulnerabilities::FeedbackEntity < Grape::Entity
expose :created_at expose :created_at
expose :project_id expose :project_id
expose :author, using: UserEntity expose :author, using: UserEntity
expose :comment_details, if: -> (feedback, _) { feedback.comment.present? } do
expose :comment
expose :comment_timestamp
expose :comment_author, using: UserEntity
end
expose :pipeline, if: -> (feedback, _) { feedback.pipeline.present? } do expose :pipeline, if: -> (feedback, _) { feedback.pipeline.present? } do
expose :id do |feedback| expose :id do |feedback|
feedback.pipeline.id feedback.pipeline.id
......
...@@ -3,8 +3,7 @@ ...@@ -3,8 +3,7 @@
module VulnerabilityFeedbackModule module VulnerabilityFeedbackModule
class CreateService < ::BaseService class CreateService < ::BaseService
def execute def execute
vulnerability_feedback = @project.vulnerability_feedback.find_or_init_for(@params) vulnerability_feedback = @project.vulnerability_feedback.find_or_init_for(create_params)
vulnerability_feedback.author = @current_user
if vulnerability_feedback.issue? && if vulnerability_feedback.issue? &&
!vulnerability_feedback.vulnerability_data.blank? !vulnerability_feedback.vulnerability_data.blank?
...@@ -33,6 +32,20 @@ module VulnerabilityFeedbackModule ...@@ -33,6 +32,20 @@ module VulnerabilityFeedbackModule
private private
def create_params
@params[:author] = @current_user
@params.merge(comment_params)
end
def comment_params
return {} unless @params[:comment].present?
{
comment_author: @current_user,
comment_timestamp: Time.zone.now
}
end
def success(vulnerability_feedback) def success(vulnerability_feedback)
super().merge(vulnerability_feedback: vulnerability_feedback) super().merge(vulnerability_feedback: vulnerability_feedback)
end end
......
# frozen_string_literal: true
class AddCommentToVulnerabilityFeedback < ActiveRecord::Migration[5.1]
DOWNTIME = false
def up
add_column :vulnerability_feedback, :comment_author_id, :integer
add_column :vulnerability_feedback, :comment, :text
add_column :vulnerability_feedback, :comment_timestamp, :datetime_with_timezone
end
def down
remove_column :vulnerability_feedback, :comment_author_id
remove_column :vulnerability_feedback, :comment
remove_column :vulnerability_feedback, :comment_timestamp
end
end
# frozen_string_literal: true
class AddForeignKeyFromVulnerabilityFeedbackToUsers < ActiveRecord::Migration[5.1]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
disable_ddl_transaction!
def up
add_concurrent_foreign_key :vulnerability_feedback, :users, column: :comment_author_id, on_delete: :nullify
add_concurrent_index :vulnerability_feedback, :comment_author_id
end
def down
remove_foreign_key :vulnerability_feedback, column: :comment_author_id
remove_concurrent_index :vulnerability_feedback, :comment_author_id
end
end
...@@ -85,6 +85,7 @@ describe Projects::VulnerabilityFeedbackController do ...@@ -85,6 +85,7 @@ describe Projects::VulnerabilityFeedbackController do
let(:create_params) do let(:create_params) do
{ {
feedback_type: 'dismissal', pipeline_id: pipeline.id, category: 'sast', feedback_type: 'dismissal', pipeline_id: pipeline.id, category: 'sast',
comment: 'a dismissal comment',
project_fingerprint: '418291a26024a1445b23fe64de9380cdcdfd1fa8', project_fingerprint: '418291a26024a1445b23fe64de9380cdcdfd1fa8',
vulnerability_data: { vulnerability_data: {
category: 'sast', category: 'sast',
......
...@@ -20,6 +20,12 @@ FactoryBot.define do ...@@ -20,6 +20,12 @@ FactoryBot.define do
feedback_type 'dismissal' feedback_type 'dismissal'
end end
trait :comment do
comment 'a dismissal comment'
comment_timestamp { Time.zone.now }
comment_author { author }
end
trait :issue do trait :issue do
feedback_type 'issue' feedback_type 'issue'
issue { create(:issue, project: project) } issue { create(:issue, project: project) }
......
...@@ -13,6 +13,11 @@ ...@@ -13,6 +13,11 @@
"created_at": { "type": "date" }, "created_at": { "type": "date" },
"project_id": { "type": "integer" }, "project_id": { "type": "integer" },
"author": { "$ref": "../../../../../spec/fixtures/api/schemas/entities/user.json" }, "author": { "$ref": "../../../../../spec/fixtures/api/schemas/entities/user.json" },
"comment_details": {
"comment": { "type": ["string", "null"] },
"comment_author": { "$ref": "../../../../../spec/fixtures/api/schemas/entities/user.json" },
"comment_timestamp": { "type": ["timestamp", "null"] }
},
"pipeline": { "pipeline": {
"id": { "type": ["integer", "null"] }, "id": { "type": ["integer", "null"] },
"path": { "type": ["string", "null"] } "path": { "type": ["string", "null"] }
......
...@@ -9,6 +9,7 @@ describe Vulnerabilities::Feedback do ...@@ -9,6 +9,7 @@ describe Vulnerabilities::Feedback do
describe 'associations' do describe 'associations' do
it { is_expected.to belong_to(:project) } it { is_expected.to belong_to(:project) }
it { is_expected.to belong_to(:author).class_name('User') } it { is_expected.to belong_to(:author).class_name('User') }
it { is_expected.to belong_to(:comment_author).class_name('User') }
it { is_expected.to belong_to(:issue) } it { is_expected.to belong_to(:issue) }
it { is_expected.to belong_to(:merge_request) } it { is_expected.to belong_to(:merge_request) }
it { is_expected.to belong_to(:pipeline).class_name('Ci::Pipeline').with_foreign_key('pipeline_id') } it { is_expected.to belong_to(:pipeline).class_name('Ci::Pipeline').with_foreign_key('pipeline_id') }
...@@ -20,6 +21,18 @@ describe Vulnerabilities::Feedback do ...@@ -20,6 +21,18 @@ describe Vulnerabilities::Feedback do
it { is_expected.to validate_presence_of(:feedback_type) } it { is_expected.to validate_presence_of(:feedback_type) }
it { is_expected.to validate_presence_of(:category) } it { is_expected.to validate_presence_of(:category) }
it { is_expected.to validate_presence_of(:project_fingerprint) } it { is_expected.to validate_presence_of(:project_fingerprint) }
context 'comment is set' do
let(:feedback) { build(:vulnerability_feedback, comment: 'a comment' ) }
it 'validates presence of comment_timestamp' do
expect(feedback).to validate_presence_of(:comment_timestamp)
end
it 'validates presence of comment_author' do
expect(feedback).to validate_presence_of(:comment_author)
end
end
end end
describe '#find_or_init_for' do describe '#find_or_init_for' do
...@@ -32,6 +45,7 @@ describe Vulnerabilities::Feedback do ...@@ -32,6 +45,7 @@ describe Vulnerabilities::Feedback do
{ {
feedback_type: 'dismissal', pipeline_id: pipeline.id, category: 'sast', feedback_type: 'dismissal', pipeline_id: pipeline.id, category: 'sast',
project_fingerprint: '418291a26024a1445b23fe64de9380cdcdfd1fa8', project_fingerprint: '418291a26024a1445b23fe64de9380cdcdfd1fa8',
author: user,
vulnerability_data: { vulnerability_data: {
category: 'sast', category: 'sast',
priority: 'Low', line: '41', priority: 'Low', line: '41',
...@@ -48,7 +62,6 @@ describe Vulnerabilities::Feedback do ...@@ -48,7 +62,6 @@ describe Vulnerabilities::Feedback do
subject(:feedback) { described_class.find_or_init_for(feedback_params) } subject(:feedback) { described_class.find_or_init_for(feedback_params) }
before do before do
feedback.author = user
feedback.project = project feedback.project = project
end end
...@@ -67,7 +80,6 @@ describe Vulnerabilities::Feedback do ...@@ -67,7 +80,6 @@ describe Vulnerabilities::Feedback do
context 'when attempting to save duplicate' do context 'when attempting to save duplicate' do
it 'raises ActiveRecord::RecordInvalid' do it 'raises ActiveRecord::RecordInvalid' do
duplicate = described_class.find_or_init_for(feedback_params) duplicate = described_class.find_or_init_for(feedback_params)
duplicate.author = user
duplicate.project = project duplicate.project = project
feedback.save! feedback.save!
......
...@@ -13,6 +13,26 @@ describe Vulnerabilities::FeedbackEntity do ...@@ -13,6 +13,26 @@ describe Vulnerabilities::FeedbackEntity do
it { is_expected.to include(:created_at, :project_id, :author, :category, :feedback_type) } it { is_expected.to include(:created_at, :project_id, :author, :category, :feedback_type) }
end end
context 'when comment is not present' do
subject { entity.as_json }
it { is_expected.not_to include(:comment_details) }
end
context 'when comment is present' do
let(:feedback) { build(:vulnerability_feedback, :comment) }
let(:entity) { described_class.represent(feedback) }
subject { entity.as_json }
it 'exposes comment information' do
expect(subject).to include(:comment_details)
expect(subject[:comment_details]).to include(:comment)
expect(subject[:comment_details]).to include(:comment_timestamp)
expect(subject[:comment_details]).to include(:comment_author)
end
end
context 'when issue is present' do context 'when issue is present' do
let(:feedback) { build(:vulnerability_feedback, :issue ) } let(:feedback) { build(:vulnerability_feedback, :issue ) }
let(:entity) { described_class.represent(feedback) } let(:entity) { described_class.represent(feedback) }
......
...@@ -15,6 +15,7 @@ describe VulnerabilityFeedbackModule::CreateService, '#execute' do ...@@ -15,6 +15,7 @@ describe VulnerabilityFeedbackModule::CreateService, '#execute' do
{ {
feedback_type: 'dismissal', pipeline_id: pipeline.id, category: 'sast', feedback_type: 'dismissal', pipeline_id: pipeline.id, category: 'sast',
project_fingerprint: '418291a26024a1445b23fe64de9380cdcdfd1fa8', project_fingerprint: '418291a26024a1445b23fe64de9380cdcdfd1fa8',
comment: 'a dismissal comment',
vulnerability_data: { vulnerability_data: {
category: 'sast', category: 'sast',
priority: 'Low', line: '41', priority: 'Low', line: '41',
...@@ -46,6 +47,30 @@ describe VulnerabilityFeedbackModule::CreateService, '#execute' do ...@@ -46,6 +47,30 @@ describe VulnerabilityFeedbackModule::CreateService, '#execute' do
expect(feedback.merge_request?).to eq(false) expect(feedback.merge_request?).to eq(false)
expect(feedback.merge_request).to be_nil expect(feedback.merge_request).to be_nil
end end
context 'when feedback params has a comment' do
it 'sets the comment attributes' do
feedback = result[:vulnerability_feedback]
expect(feedback.comment).to eq('a dismissal comment')
expect(feedback.comment_author).to eq(user)
expect(feedback.comment_timestamp).not_to be_nil
end
end
context 'when feedback params does not have a comment' do
before do
feedback_params[:comment] = nil
end
it 'does not set comment attributes' do
feedback = result[:vulnerability_feedback]
expect(feedback.comment).to be_nil
expect(feedback.comment_author).to be_nil
expect(feedback.comment_timestamp).to be_nil
end
end
end end
context 'when feedback_type is issue' do context 'when feedback_type is issue' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment