Expose generic vulnerability finding details

23c8ed48 · Cameron Swords · Stan Hu · 7676c7eb · 23c8ed48 · 23c8ed48
Commit 23c8ed48 authored Mar 16, 2021 by Cameron Swords Committed by Stan Hu Mar 16, 2021
7 changed files
--- a/doc/api/vulnerability_findings.md
+++ b/doc/api/vulnerability_findings.md
@@ -131,6 +131,18 @@ Example response:
        "version": "1.5.0"
      }
    },
+    "details": {
+      "custom_field": {
+        "name": "URLs",
+        "type": "list",
+        "items": [
+          {
+            "type": "url",
+            "href": "http://site.com/page/1"
+          }
+        ]
+      }
+    },
    "solution": "Upgrade to fixed version.\r\n",
    "blob_path": "/tests/yarn-remediation-test/blob/cc6c4a0778460455ae5d16ca7025ca9ca1ca75ac/yarn.lock"
  }

--- a/ee/app/helpers/vulnerabilities_helper.rb
+++ b/ee/app/helpers/vulnerabilities_helper.rb
 # frozen_string_literal: true

 module VulnerabilitiesHelper
-  FINDING_FIELDS = %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid].freeze
+  FINDING_FIELDS = %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details].freeze

  def vulnerability_details_json(vulnerability, pipeline)
    vulnerability_details(vulnerability, pipeline).to_json

--- a/ee/app/serializers/vulnerabilities/finding_entity.rb
+++ b/ee/app/serializers/vulnerabilities/finding_entity.rb
@@ -41,6 +41,7 @@ class Vulnerabilities::FindingEntity < Grape::Entity
    expose(:assets) { |model, _| model.assets }
  end

+  expose :details
  expose :state
  expose :scan


--- a/ee/changelogs/unreleased/expose-vulnerability-generic-details.yml
+++ b/ee/changelogs/unreleased/expose-vulnerability-generic-details.yml
+---
+title: Return generic vulnerability details in the response of the vulnerability_finding
+  endpoint
+merge_request: 56448
+author:
+type: changed
--- a/ee/spec/factories/vulnerabilities/findings.rb
+++ b/ee/spec/factories/vulnerabilities/findings.rb
@@ -59,6 +59,17 @@ FactoryBot.define do
    confidence { :medium }
    scanner factory: :vulnerabilities_scanner
    metadata_version { 'sast:1.0' }
+
+    details do
+      {
+        url: {
+          name: 'URL',
+          type: 'url',
+          href: 'http://site.com'
+        }
+      }
+    end
+
    raw_metadata do
      {
        description: 'The cipher does not provide data integrity update 1',

--- a/ee/spec/helpers/vulnerabilities_helper_spec.rb
+++ b/ee/spec/helpers/vulnerabilities_helper_spec.rb
@@ -39,10 +39,11 @@ RSpec.describe VulnerabilitiesHelper do
                    :project,
                    :remediations,
                    :solution,
-                    :uuid)
+                    :uuid,
+                    :details)
    end

-    let(:desired_serializer_fields) { %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid] }
+    let(:desired_serializer_fields) { %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details] }

    before do
      vulnerability_serializer_stub = instance_double("VulnerabilitySerializer")
@@ -268,7 +269,8 @@ RSpec.describe VulnerabilitiesHelper do
        evidence_source: anything,
        assets: kind_of(Array),
        supporting_messages: kind_of(Array),
-        uuid: kind_of(String)
+        uuid: kind_of(String),
+        details: kind_of(Hash)
      )

      expect(subject[:location]['blob_path']).to match(kind_of(String))

--- a/ee/spec/serializers/vulnerabilities/finding_entity_spec.rb
+++ b/ee/spec/serializers/vulnerabilities/finding_entity_spec.rb
@@ -60,6 +60,7 @@ RSpec.describe Vulnerabilities::FindingEntity do
      expect(subject).to include(:scan)
      expect(subject).to include(:assets, :evidence_source, :supporting_messages)
      expect(subject).to include(:uuid)
+      expect(subject).to include(:details)
    end

    context 'when not allowed to admin vulnerability feedback' do